Exclude a string from DCC hashing ?

Vernon Schryver vjs@calcite.rhyolite.com
Fri Nov 28 22:24:00 UTC 2008


> From: neil <neil@supanet.net.uk>

>    Is there a way to exclude a string from being included in DCC hashing ?

no, but as far as I understand description of the problem, excluding
strings from the checksums would not be useful.


> We add a footer to webmail, then DCC on other boxes as part of 
> spamassassin, but I think it is registering as a hit as the footer is 
> constant.
> I want to just test the body as we do get some hijacked accounts 
> spamming, but the majority or our web mail traffic is person to person 
> and not bulk.
>
> I have had a read of whiteclnt and seen the testmsg-whitelist, but that 
> does not do what I want. Is there a way to make a checksum of our footer 
> and exclude just that?
> I could have exim add the footer after spam scanning I suppose.  We have 
> to add the footer at management insistence, so I cant just remove it at 
> source :-)
>
> Apologies in advance if this has been asked or answered before I
> did a quick search of the list and FAQ but couldn't find anything.

The checksum of two different messages both with the same fixed footer
or other string appended are practically certain to differ if the
checksums of the original messages differ.  The odds of the checksums
of the modified messages being the same are on the order of 1 in 10 to
38th power.  There is a vastly larger danger that your computers will
suffer undetected data errors in RAM or on buses and so compute wrong
and equal checksums.

Exactly what problem needs solving?  

If you have found that tiny messages consisting of nothing, "yes",
"no," "test," etc. and with your footer are being detected as bulk,
then a local equivalent to testmsg-whitelist is the solution.

All copies of z message consisting of "test" and your footer are identical
and so "bulk."  There is no way that the DCC client code can know that
such small but not tiny messages should be ignored unless you say so
with white list entries.  As far as the DCC client code can tell, the
copies of "test" and your footter might be small advertisements for
herbal viagra.

The solution is to look add the hex checksums for such messages to
your /var/dcc/whiteclnt file.  You can get the checksums from log
files in /var/dcc/log.  Look for a line like the following in the
log file a test message that should be ignore:

	 Fuz2: 67bcbe1f 0ddf6c3b c2da2ec2 6bd3e844       0

Then add a line like this to /var/dcc/whiteclnt

ok hex Fuz2 67bcbe1f 0ddf6c3b c2da2ec2 6bd3e844 


You will need to ensure that /var/dcc/whiteclnt is being used by
dccproc or dccifd.  If you are using dccifd, you probably need not
do anything.  If you are using dccproc, you should enable and
use dccifd instead.  If you must use dccproc, tell SpamAssassin to
run dccproc with -w/var/dcc/whiteclnt (or wherever you put your whiteclnt
file).


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.