Fuz2 false positive

Vernon Schryver vjs@calcite.rhyolite.com
Sat Apr 19 02:26:53 UTC 2008


> From: "Paul R. Ganci" <ganci@nurdog.com>

> dcc_fuz2_max NUMBER
> **
>     This option sets how often a message's body/fuz1/fuz2 checksum must
>     have been reported to the DCC server before SpamAssassin will
>     consider the DCC check as matched. 
>
>     As nearly all DCC clients are auto-reporting these checksums, you
>     should set this to a relatively high value, e.g. |999999| (this is
>     DCC's MANY count).
>
>     The default is |999999| for all these options.
>
> Since DCC's many count is 999999 then setting this to 1000000 (or 
> higher) should in principle disable the fuz2 check in spamassassin since 
> spamassassin should never get a count higher.

The internal numeric equivalent of the DCC checksum value "MANY" is
*not* 999999.  999999 is merely the number to which SpamAssassin
translates the string "MANY".  The true internal value is almost 17
times larger than 999999.  I'll not say what the value is to forestall
other ill advised translations of "many."  "Many" is simply the largest
possible value of a DCC checksum count.  Think of it as like a mathematical
projective infinity or like IEEE 754 floating point +infinity.


To turn off the FUZ2 checksum, try teaching SpamAssassin to look for
the string "bulk" in the X-DCC header instead of any particular number.
(SpamAssassin may already look for "bulk" in X-DCC headers; I've forgotten
and don't feel like looking at the SpamAssassin source yet again.)
Then set your desired threshold by one or more of:
  1. causing SpamAssassin to run dccproc with a suitable -cFUZ2,,X
      where X is a number greater than or equal to 0, the string
      "many", or the string "never."  See the dccproc man page.
  2. causing SpamAssassin to run dccproc with -w whiteclnt and put
      a line like the following to /var/dcc/whiteclnt
        option threshold,FUZ2,X
      See the dcc man page.
  3. using dccifd instead of dccproc and add the line from #2 to
      /var/dcc/whiteclnt
  4. using dccifd instead of dccproc setting DCCM_REJECT_AT or
      DCCIFD_REJECT_AT or adding  -tFUZ2,,X to DCCIFD_ARGS 
      in /var/dcc/dcc_conf  See the dccifd man page.

Unless your mail system receives fewer than several 1000 mail messages
per day, dccifd is a far better choice than dccproc.  However, you might
need to teach SpamAssassin to look for the dccifd socket in a directory
other than /var/dcc if wherever you got the DCC source has moved it.

I cannot imagine a reason to turn off the FUZ2 checksum as opposed to
simply not using DCC.  If the DCC checksums don't fit your needs, then
it seems at best odd to waste the CPU cycles, network bandwidth, and
wall clock time getting the checksums....well, there are special cases
such as using a private DCC database of checksums of IP addresses or
other stigmata for rate-limiting out-going email.


Vernon Schryver    vjs@rhyolite.com




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.