whitelist

Vernon Schryver vjs@calcite.rhyolite.com
Mon, 21 Jan 2002 18:37:45 -0700 (MST) 

> From: Michael Ghens <michael@spconnect.com>

> Grrr, places that I and my users do business on (ebay/half.com) do not put
> message-ids into the mailmessage (thanks to qmail). I am wondering if it 
> was possible to keep the message-id check and whitelist ebay.com/half.com
>
> example:
>
> many   message-id <>
> ok	from	half.com
> ok	from	ebay.com

The second two lines would white-list all mail from either of the
two header lines "From: half.com" or "From: ebay.com".
That sounds unlikely to do much good.  On the other hand, if
there are several user@ebay.com that are always in the From header
or envelope Mail_From value, they would be effective.

> Second question, is it possible to whitelist just the domain. Examples and 
> man pages suggest that it is a RFC2882 address (user@domain.tld).

No, it is not possible from within a DCC whitelist, but yes, it
is possible with the help of the sendmail access_db.

The DCC is based on checksums.  That implies that any sort of regular
expression is impossible.  The From and env_From checksums are computed
by striping a matching set of outer <>'s and then computing the MD5
checksum of the lowercase equivalents of the non-whitespace characters
in the field.  That implies that the checksum for user1@ebay.com is
entirely different from the checksum for user2@ebay.com. 
There could be a separate From_domain that would strip everything up
to the last '@' (what about '%' and '!'?), but there isn't.

To white-list mail with envelope (not header) Mail_From values from the
ebay.com for sendmail with dccm, one could use the same trick as in the
misc/hackmc script but set ${dcc_notspam} macro instead of ${dcc_isspam}.
You'd probably want to use an access_db string like "DCCOK:" to avoid
conflicts with the "DCC:" string used by hackmc stuff.  Please let
me know if more details are desired.

My recommendation is to give up on blacklisting the null or missing
message-ID.  It is a very good indicator of bulk mail, but if its
false positive rate is too high, then it's too high.


Vernon Schryver    vjs@rhyolite.com