local vs. global counts for checksums

Vernon Schryver vjs@calcite.rhyolite.com
Mon Mar 21 14:57:06 UTC 2011


> From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
> To: dcc@rhyolite.com

> since many phishing attacks targeted on our company in the near past, and
> resulting spam outbreaks of which we are a victim for some time, I would
> like to know if we can have some database of checksums that appeared locally
> (at our servers) for a MANY times, where MANY would be different number than
> global MANY.

Why would you need 2 different MANY numbers?  Why not share the
checksums of phishing attacks targeting your company with the world?
Some organizations apply DCC checks on their out-going email.  By
sharing phishing attacks targeting your company, you might stop
some of them at their soruce and possibly even alert the owners of
the source networks?

> The logical alternative is to run DCC servers only for our company (which
> requires commercial version of DCC), and always query both servers with
> public and private checksum databases.

Whether you need to buy a license for commercial use of DCC is
unrelated to whether you run your own DCC servers.  Some organizations
have commercial DCC licenses but do not run DCC servers.  Other
organizations run private DCC servers using the free DCC version.
You need a commercial license if you sell anti-spam appliances or
services, or if you do not share your checksums.


> Whle I don't have problems running commercial DCC, thiis would also require
> double checking for checksums in both MTA and SpamAssassin, which I found a
> bit hard to implement, unless some (commercial?) version implements it.
>
> Any recommendations about this problem?

The best way to use DCC is during the original SMTP transaction,
and so in the MTA.  I think it would be easy to configure Postfix
or sendmail to consult 2 sets of DCC servers.  With Postfix, use
two dccifd daemons as before-queue filters.  With sendmail, add two
Xdcc lines differing in DCC home directories.

If you must apply DCC checks after the SMTP transaction, I think
it would be straight forward to hack a copy of the SpamAssassin
DCC.pm to use a second set of parameters and so consult a second
dccifd daemon  The second module would be called something like DCC2.pm.
I'd probably write a sed recipe to generate DCC2.pm from DCC.pm from
apache.org or the misc directory in DCC source to ease handling updates.



Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.