false positives

Jeff Mincy mincy@rcn.com
Thu Oct 20 17:41:46 UTC 2005


On Thu, 20 Oct 2005, vjs@calcite.rhyolite.com wrote:

>> From: "Dan Mahoney, System Admin" 
> 
>> If people flag those things as spam and report them, then they will score.
>>
>> At least, that's my thinking.
> 
> Not exactly.  As Sven Willenberger wrote, the DCC detects bulk mail.
> You must add a local whitelist to distinguish solicited bulk mail
> (e.g. legitiamte newsletters) from spam or unsolicited bulk mail.
> 
> Mailing lists are bulk mail and should be detected as bulk.  Most
> legitimate bulk mail should not have target countss of millions, but
> it could.  The DCC "MANY" value is in fact any target greater than or
> equal to 16,777,200.  If you are seeing legitimate bulk mail with
> target counts of "MANY," it is probably because someone has miswired
> a system to report all incoming mail with the bloated counts common
> to spam traps.

The easiest installation and use of DCC through SpamAssassin will
wind up reporting newsletters and having newsletters tagged by DCC.
By simple I mean installing DCC with no extra setup and enabling DCC
in the Spamassassin user_prefs.

> All of this is why I keep saying (despite zillions of people who seem
> to disagree) that the right way to use the DCC is with per-user
> whitelists.  Whitelists let individual users enforce their individual
> notions of which bulk mail is solicited.  For example, Microsoft has
> sent me unsolicited bulk mail.  That it is spam for me should have no
> bearing on whether it is spam for you.

It is not spam if you signed up with the company to receive the
newsletter or specials (etc) and if you can control the email from
the company.

I agree that users have to have local whitelists and should maintain
the whitelist, but I also think that the default DCC whitelist should
come with more whitelist entries for well known and reasonable newsletters.

It would be easier if there was more similarity between different
whitelists.  For example, could the whitelist_from_rcvd syntax used
for SpamAssassin be read by dcc, eg:
  whitelist_from_rcvd BJs_MemberServices@bjs.chtah.com cheetahmail.com
This would allow a common whitelist file to be included by both.

> There is an odd second order effect.  Bulk mail that is popularly
> whitelisted at DCC clients tends to not be recognized as bulky as
> it is.  This is because the checksums of whitelisted messages are
> not reported to DCC servers.

Is that a problem?  It might be kind of interesting to know how many
other people have seen the same whitelisted message.  The DCC count
with the threshold is being used as a binary (a message is either
known to be bulk or it is not known to be bulk) - and the usual use of
DCC is to equate Bulk with Spam.  Three or four values might be more
useful: message is whitelisted bulk (either dcc default or user),
other bulk or not bulk.

-jeff



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.