many vs. false negatives

Vernon Schryver vjs@calcite.rhyolite.com
Fri Mar 21 04:44:01 UTC 2003


> From: Leandro Santi <lesanti@uolsinectis.com.ar>

> ...
> > How is that a false negative?  A target count of 45 of looks like "bulk"
> > to me.
>
> Yes, I agree. But feedback from some testers taught me that single
> fuz2 count isn't enough evidence to declare it as spam for isp-like
> filtering. I mean: its OK for me, but I found quite a number of people
> that received false positives with this detection threslold (ie high fuz2
> count only).
>
> So we decided to give users a chance to adjust the filters' selectivity
> (one of which is the DCC). And my current setup is "so so" right now.
> Thats why it passed as a false negative.
>
> Maybe the new (1.1.20) fuz2 algorithm has changed all this, I don't review
> this since 1.1.11.

My position is that even "many" is too low as a rejection threshold
unless a good local whitelist is in use.  The changes to the FUZ2 algorithm
should increase the counts of bad mail.  However, if a count of 45 is not 
"bulk," then "many" should probably also not be "bulk."

> ...
> > > I'd expect dcc2 to get this spam report via the 1115->1116->1107->1111
> > > chain. Is this OK? Any ideas?
> >
> > The flooding machinery has mechanisms to reduce useless traffic,
> > including reports of checksums that are already known to be bulky.
> > Some of those mechanisms only slow down extra reports.
> >
> > It seems a day has passed.    Is that FUZ2 checksum now known to be a
> > "many" everywhere?  (Not necessarily in the first report found by
> > `dblist -C` but the last one).
>
> Yes, I think. But a lot of time (more than 10 hrs) has passed until dcc2
> got it as "many" (and I think it was because of a different, 2 hop report
> originated from ID 1107 instead of the original one flooded with more than
> three hops). Is this normal?

I'm not sure.  I thought that only counts of "many" get compressed
and so suppress other reports.  I'm travelling now, and so cannot 
easily check the source.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.