Exclude a string from DCC hashing ?

neil neil@supanet.net.uk
Mon Dec 1 08:36:52 UTC 2008


Hi;
Vernon Schryver wrote:
<snip>

>The checksum of two different messages both with the same fixed footer
>or other string appended are practically certain to differ if the
>checksums of the original messages differ.  The odds of the checksums
>of the modified messages being the same are on the order of 1 in 10 to
>38th power.

<snip>

Cheers for that.
I wasn't aware of how fuzzy the fuzzy matching was, especially on short 
messages,  so I put 2+2 together and made 5.

Some times I need the clue stick for things to sink in ;-)


Rgds
Neil




Vernon Schryver wrote:
>> From: neil <neil@supanet.net.uk>
>>     
>
>   
>>    Is there a way to exclude a string from being included in DCC hashing ?
>>     
>
> no, but as far as I understand description of the problem, excluding
> strings from the checksums would not be useful.
>
>
>   
>> We add a footer to webmail, then DCC on other boxes as part of 
>> spamassassin, but I think it is registering as a hit as the footer is 
>> constant.
>> I want to just test the body as we do get some hijacked accounts 
>> spamming, but the majority or our web mail traffic is person to person 
>> and not bulk.
>>
>> I have had a read of whiteclnt and seen the testmsg-whitelist, but that 
>> does not do what I want. Is there a way to make a checksum of our footer 
>> and exclude just that?
>> I could have exim add the footer after spam scanning I suppose.  We have 
>> to add the footer at management insistence, so I cant just remove it at 
>> source :-)
>>
>> Apologies in advance if this has been asked or answered before I
>> did a quick search of the list and FAQ but couldn't find anything.
>>     
>
> The checksum of two different messages both with the same fixed footer
> or other string appended are practically certain to differ if the
> checksums of the original messages differ.  The odds of the checksums
> of the modified messages being the same are on the order of 1 in 10 to
> 38th power.  There is a vastly larger danger that your computers will
> suffer undetected data errors in RAM or on buses and so compute wrong
> and equal checksums.
>
> Exactly what problem needs solving?  
>
> If you have found that tiny messages consisting of nothing, "yes",
> "no," "test," etc. and with your footer are being detected as bulk,
> then a local equivalent to testmsg-whitelist is the solution.
>
> All copies of z message consisting of "test" and your footer are identical
> and so "bulk."  There is no way that the DCC client code can know that
> such small but not tiny messages should be ignored unless you say so
> with white list entries.  As far as the DCC client code can tell, the
> copies of "test" and your footter might be small advertisements for
> herbal viagra.
>
> The solution is to look add the hex checksums for such messages to
> your /var/dcc/whiteclnt file.  You can get the checksums from log
> files in /var/dcc/log.  Look for a line like the following in the
> log file a test message that should be ignore:
>
> 	 Fuz2: 67bcbe1f 0ddf6c3b c2da2ec2 6bd3e844       0
>
> Then add a line like this to /var/dcc/whiteclnt
>
> ok hex Fuz2 67bcbe1f 0ddf6c3b c2da2ec2 6bd3e844 
>
>
> You will need to ensure that /var/dcc/whiteclnt is being used by
> dccproc or dccifd.  If you are using dccifd, you probably need not
> do anything.  If you are using dccproc, you should enable and
> use dccifd instead.  If you must use dccproc, tell SpamAssassin to
> run dccproc with -w/var/dcc/whiteclnt (or wherever you put your whiteclnt
> file).
>
>
> Vernon Schryver    vjs@rhyolite.com
> _______________________________________________
> DCC mailing list      DCC@rhyolite.com
> http://www.rhyolite.com/mailman/listinfo/dcc
>   




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.