Hi Arlo,
> -----Original Message-----
> From: Arlo Gilbert [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 22, 2003 8:48 AM
> To: Larry Gilson
> Cc: [EMAIL PROTECTED]
> Subject: Re: [SAtalk] dcc returns letters not numbers. docs
> say to limit # 's
>
>
> Thanks Larry,
>
> I do understand that 99999 is what the documentation says, but
> thank you for clearing up the headers vs config for me.
No, not 99999 (100K),
999999 (1M)
> I am a bit concerned though, the docs make reference to setting the
> number very high, but they give us no indication or real
> understanding of the dcc tests.
>
> I understand that they are a message checksum count system, but if
> a message has been seen even say... 1000 times, isnt that a good
> indicator that it may be bulk if not unsolicited?
And herein lies the problem. Since the clients are autoresponding, messages
sent 1000 times is an indication of bulkiness. SA provides an indication of
spaminess - really defined by the threshold provided by the administrator.
My understanding, which could be wrong, is that the higher the count then
the higher the probability that the message can be spam. But this
implication is inferred when providing a score for it. DCC will not even
stretch that far.
The DCC doc:
count is the total number of recipients of messages with that
check-sum reported directly or indirectly to the DCC server.
The special count "MANY" means that DCC client have claimed
that the message is directed at millions of recipients.
"MANY" im-ples the message definitely bulk, but not
necessarily unso-licited. The special counts "OK" and "OK2"
mean the checksum has been marked "good" or "half-good" by
DCC servers.
The first paragraph of the DCC doc:
"The Distributed Checksum Clearinghouse or DCC is a cooperative, distributed
system intended to detect "bulk" mail or mail sent to many people. It
allows individuals receiving a single mail message to determine that many
other people have received essentially identical copies of the message and
so reject or discard the message. It can identify some unsolicited bulk
mail using "spam traps" and other detectors, but that is not its focus."
> Does anybody have an in depth understanding of the dcc tests?
> are they even worth using if we apparently have no faith in them?
> And is a 99999 a little late? Sure if 100k people have seen it we
> can likely consider it spam, but why 100k? why not less?
Well again 1M, not 100K. The above doc snip specifically states that the
focus is not on unsolicited bulk (spam) detection. So you really have to
know how you want to treate an indication of bulk message. Whether it is
treated as an indication of spam or not is entirely up to the administrator
with the understanding that the scoring flavored like any other test (local,
net, with bayes, with bayes+net).
--Larry
-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
