dccifd vs greylisting

Vernon Schryver vjs@calcite.rhyolite.com
Sun Dec 21 07:18:54 UTC 2003


> From: "John R Levine" <johnl@iecc.com>

> ...
> Oh, I see, I forgot to add it to the map.  I added a suitable line to
> map.txt and reloaded and now it's much happier.

It might be good to add "-l log" how you start dccifd if you don't
use start-dccifd probably via rcDCC.


> ...
> How come it needs the whole message to greylist?  I thought it just used
> the IP and envelope addresses.

First note that `dccifd -G` does more than greylisting.  It computes
all of checksums and checks the local whitelist.  If that allows,
it checks the greylist server.  Finally it checks the normal DCC
server.  It's good to reject spam even if the embargo has not expired.

Greylisting uses the triple {sender, sender IP address, and target}
and eventually whitelists that triple.  My scheme actually uses
the MD5 checksum of the DCC MD5 checksums of those three values.
The three checksums are conveniently available and fixed length.
It's a lot quicker in dccd to do one hash table probe to ask "what is
the count for MD5(S,I,T)" than three hash table probes to ask
"what is the count of messages with MD5(S), MD5(I), and MD5(T)".

To prevent some spammer games, the DCC greylisting watches the simple
Body checksum during the embargo.  In Evan Harris's described system,
a spammer could send messages with different hash busting strings and
get through the embargo.

Then there is the MD5 checksum of the sender, target, and body checksums
that I use to detect retransmissions of the same message from different
SMTP clients.  This is handy for reporting the body checksums of the
message to the normal DCC network when they first appear and before
the message is delivered.  It would be bad to report a single legitimate
message to the DCC network 10 times because AOL retransmitted it from
10 different SMTP clients.  On the other hand, it is good to count 100
copies to different targets before even the first is delivered and so
reject all 100 when (and if) they are retransmitted by the spammer.

All of the other standard DCC checksums are sent to the greylist
server in case you want to use server-side whitelisting.  I think
client-side DCC whitelisting is better, but that's partly only
recently true with large CIDR block entries in client whitelists.

Sending all of the checksums costs nothing significant in bandwidth.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.