whitelisting mailing lists with dccproc

Vernon Schryver vjs@calcite.rhyolite.com
Tue Sep 11 14:24:35 UTC 2001


> From: "Brian J. Murrell" <dcc-list@interlinx.bc.ca>

> On Tue, Sep 11, 2001 at 01:04:38PM +0100, Nicholas Piper wrote:
> > 
> > If I know I'm going to ignore the result I don't bother passing it
> > through dccproc anymore.
>
> Thanks for sharing your spam.  DCC only works if everybody submits
> their spam for "counting".  It doesn't matter if *you* know it's spam
> and therefore don't *need* to have DCC tell you that it is.  How about
> contributing the spam to DCC for the rest of the community?

I understood the comment about ignoring dccproc results to concern
white-listed mail.  The DCC clients do not send the checksums of
locally white-list mail to the DCC server.  I think that is a necessary
privacy feature, since it keeps the checksums of mail that you know
is otherwise entirely private from getting outside your network.

> ...
> > Ah. From reading about the whitelisting feature in the documentation I
> > was given the impression it was best to *not* report checksums of
> > solicited bulk mail (I probably thought this because it mentions it
> > can be used as a "privacy" tool; to not even realise the checksums of
> > my private and known-to-be-ok mail).
>
> IMHO I don't think so.  I think everything should be sent through DCC.
> What if you just happen to be the one or two people that opted into a
> marketing list that is also being populated by address scraping?
> Whitelisting should not be used to suppress DCC counting but should be
> used to suppress DCC-metric-checking (if you know you want it).

That makes sense for mail that has been on the public Internet and
has come from some other outfit in another privacy or security domain.
Such mail is vulnerable to bad guys with packet sniffers and so not
very private.

Mail that never leaves your network or even your computer is different.
Not only might you know that it's not spam, but you might not want to
let bad guys snoop on it.  Imagine asking a DCC server about checksums
for the From value "bgates@microsoft.com" and then about the Subject
line "screw netscape".  With the current DCC protocol there is no way
to ask for the count of reports of messages with both checksums, Even
so, I think the privacy issues are worth considering.

And that reminds me...I should figure a way to make dccm automatically
white-list mail that came via SMTP+TLS, probably by looking at the default
milter macros.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.