[ SPAM ] Re: Good starting numbers for spamassassins dcc

Vernon Schryver vjs@calcite.rhyolite.com
Sat May 2 16:54:13 UTC 2009


> From: =?ISO-8859-2?Q?Micha=B3_Grz=EAdzicki?= <lazy@iq.pl>


> DCC.pm checks for X-DCC: bulk only if it has been added upstream,  =

I think it is good to run DCC checks during the original SMTP transaction.
The best way is to let the MTA reject spam during the transaction.
Even if one cannot do that, dccifd or dccm can add X-DCC headers when
run as part of sendmail, postfix, or other MTAs.


> Are fuz1 and fuz2 computed from same parts of email eg. sender,  =
> subject, X-Client + body, or fuz2 takes more headers ? Then wery  =
> simillar spams can have same body hash same fuz1 but difrend fuz2  =
> because fuz2 takes in acount X-Client header whitch difers in this 2  =
> spams or mayby they take same subset of email, header + body but use  =
> difrend fuzzing algoritm (like omiting whitespaces ignoring case ect.  =
> to ignore minor diferences in spams)

All three DCC checksums, body, fuz1, and fuz2, are computed on only
the message body starting after the blank line that ends the SMTP headers.
The fuzziness of the fuz1 and fuz2 checksums differ.
I will not say how they differ, although it is not a secret for anyone
willing to read the source.

> If they use same subset of headers + body there's no point in  =
> diferenting threstholds for fuz1 and fuz2, and if fuz2 inputs more  =
> data it should have smaller thresthold then fuz1.

I think the thresholds for the checksums should be the same.

Except for tiny messages and certain other cases, all three DCC
checksums are computed message bodies.  
However, only reports of bulky checksums are flooded, so your DCC
server is more likely to receive reports of fuzzy checksums than
simple "body" checksums.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.