local vs. global counts for checksums

Matus UHLAR - fantomas uhlar@fantomas.sk
Mon Mar 21 18:47:05 UTC 2011


> > From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
> > To: dcc@rhyolite.com
> 
> > since many phishing attacks targeted on our company in the near past, and
> > resulting spam outbreaks of which we are a victim for some time, I would
> > like to know if we can have some database of checksums that appeared locally
> > (at our servers) for a MANY times, where MANY would be different number than
> > global MANY.

On 21.03.11 14:57, Vernon Schryver wrote:
> Why would you need 2 different MANY numbers?

because I found mail that appeared 1000 times on our servers much more
suspect than mail that appeared 1000 times in the whole world, while
only 5 times on our servers. The same can apply for slovakia etc...

Or is there I don't understand correctly about DCC?

> Why not share the
> checksums of phishing attacks targeting your company with the world?

Of course, but the difference above is what I'm interested in.

[...]

> Whether you need to buy a license for commercial use of DCC is
> unrelated to whether you run your own DCC servers.  Some organizations
> have commercial DCC licenses but do not run DCC servers.  Other
> organizations run private DCC servers using the free DCC version.
> You need a commercial license if you sell anti-spam appliances or
> services, or if you do not share your checksums.

that's it :)

> > Whle I don't have problems running commercial DCC, thiis would also require
> > double checking for checksums in both MTA and SpamAssassin, which I found a
> > bit hard to implement, unless some (commercial?) version implements it.
> >
> > Any recommendations about this problem?
> 
> The best way to use DCC is during the original SMTP transaction,
> and so in the MTA.

Reporting in the MTA, checking in the spam filter is what I want to achieve
:)

> I think it would be easy to configure Postfix or sendmail to consult 2
> sets of DCC servers.  With Postfix, use two dccifd daemons as before-queue
> filters.  With sendmail, add two Xdcc lines differing in DCC home
> directories.
> 
> If you must apply DCC checks after the SMTP transaction, I think
> it would be straight forward to hack a copy of the SpamAssassin
> DCC.pm to use a second set of parameters and so consult a second
> dccifd daemon  The second module would be called something like DCC2.pm.
> I'd probably write a sed recipe to generate DCC2.pm from DCC.pm from
> apache.org or the misc directory in DCC source to ease handling updates.

well, I'll goo this way if I won't find a better one.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.