many vs. false negatives

Vernon Schryver
Fri Mar 21 04:44:01 UTC 2003

> From: Leandro Santi <>

> ...
> > How is that a false negative?  A target count of 45 of looks like "bulk"
> > to me.
> Yes, I agree. But feedback from some testers taught me that single
> fuz2 count isn't enough evidence to declare it as spam for isp-like
> filtering. I mean: its OK for me, but I found quite a number of people
> that received false positives with this detection threslold (ie high fuz2
> count only).
> So we decided to give users a chance to adjust the filters' selectivity
> (one of which is the DCC). And my current setup is "so so" right now.
> Thats why it passed as a false negative.
> Maybe the new (1.1.20) fuz2 algorithm has changed all this, I don't review
> this since 1.1.11.

My position is that even "many" is too low as a rejection threshold
unless a good local whitelist is in use.  The changes to the FUZ2 algorithm
should increase the counts of bad mail.  However, if a count of 45 is not 
"bulk," then "many" should probably also not be "bulk."

> ...
> > > I'd expect dcc2 to get this spam report via the 1115->1116->1107->1111
> > > chain. Is this OK? Any ideas?
> >
> > The flooding machinery has mechanisms to reduce useless traffic,
> > including reports of checksums that are already known to be bulky.
> > Some of those mechanisms only slow down extra reports.
> >
> > It seems a day has passed.    Is that FUZ2 checksum now known to be a
> > "many" everywhere?  (Not necessarily in the first report found by
> > `dblist -C` but the last one).
> Yes, I think. But a lot of time (more than 10 hrs) has passed until dcc2
> got it as "many" (and I think it was because of a different, 2 hop report
> originated from ID 1107 instead of the original one flooded with more than
> three hops). Is this normal?

I'm not sure.  I thought that only counts of "many" get compressed
and so suppress other reports.  I'm travelling now, and so cannot 
easily check the source.

Vernon Schryver

More information about the DCC mailing list

Contact by mail or use the form.