(no subject)

Leandro Santi lesanti@uolsinectis.com.ar
Fri Mar 21 03:42:39 UTC 2003


Vernon Schryver wrote:

> > dcc2>> dccproc -QC </tmp/spam/mail6
> > X-DCC-UOLCC-Metrics: jeeves 1112; Body=3 Fuz1=3 Fuz2=45
>
> > ...
> >                      Fuz2: 5f03f09e fdf33dc4 df92c369 ccd7d3e8      45
>
> How is that a false negative?  A target count of 45 of looks like "bulk"
> to me.

Yes, I agree. But feedback from some testers taught me that single
fuz2 count isn't enough evidence to declare it as spam for isp-like
filtering. I mean: its OK for me, but I found quite a number of people
that received false positives with this detection threslold (ie high fuz2
count only).

So we decided to give users a chance to adjust the filters' selectivity
(one of which is the DCC). And my current setup is "so so" right now.
Thats why it passed as a false negative.

Maybe the new (1.1.20) fuz2 algorithm has changed all this, I don't review
this since 1.1.11.


> > Strangely, dcc1.sinectis.com.ar is reporting it as "many",
>
> > ...
> >                      Fuz2: 5f03f09e fdf33dc4 df92c369 ccd7d3e8    many
> >
> > These DCC servers flood against each other, but this particular report
> > isn't being flooded. I tried to trace the problem using dblist,
>
> > ...
> > I'd expect dcc2 to get this spam report via the 1115->1116->1107->1111
> > chain. Is this OK? Any ideas?
>
> The flooding machinery has mechanisms to reduce useless traffic,
> including reports of checksums that are already known to be bulky.
> Some of those mechanisms only slow down extra reports.
>
> It seems a day has passed.    Is that FUZ2 checksum now known to be a
> "many" everywhere?  (Not necessarily in the first report found by
> `dblist -C` but the last one).

Yes, I think. But a lot of time (more than 10 hrs) has passed until dcc2
got it as "many" (and I think it was because of a different, 2 hop report
originated from ID 1107 instead of the original one flooded with more than
three hops). Is this normal?

dcc2>> /var/dcc/libexec/dblist -C 'Fuz2 5f03f09e fdf33dc4 df92c369 ccd7d3e8'
03/18/03 13:07:12.063104    1        1112       delayed       4c44894
  Body         1          b405d50f 5ee9d0c1 f9e35fc3 159dfeab          360c68
  Fuz1         1          66e088eb cba277a7 694cd036 5f4ece86          2de6f2
  Fuz2         1          5f03f09e fdf33dc4 df92c369 ccd7d3e8          204825
....
03/20/03 04:02:59.725600    1        1112       delayed       940dcd0
  Body         1          93221f7c 70eb3891 a116a43f e4f09a0e          3b0e5b
  Fuz1         1          d670c01d cdb2df98 481db466 c6ae5ee3          73ddf
 *Fuz2         66         5f03f09e fdf33dc4 df92c369 ccd7d3e8          204825
03/20/03 04:25:31.890464    many     1107                     94a8938
     path: 1111<-
  Body         many       8a991348 977b371e 6ebc0a10 784aaf96          3baeda
  Fuz1         many       ec4ca4c3 b74422ca 15afd10c 798541fb          222e8e
  Fuz2         many       5f03f09e fdf33dc4 df92c369 ccd7d3e8  940dcd0 204825
...
03/20/03 23:28:52.119632    1        1112       delayed       cb27868
  Body         1          c88724fc c3669c6f af40b089 2a72420c          24a24c
  Fuz1         1          94841604 1660afcb 8a80fbc7 683e717e          61132
 *Fuz2         many       5f03f09e fdf33dc4 df92c369 ccd7d3e8  cae7578 204825


Thanks,
Leandro





More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.