DKIM becomes more official

Vernon Schryver vjs@calcite.rhyolite.com
Fri Oct 26 00:18:15 UTC 2007


> From: Gary Mills 


> I finally got a message from a DKIM-enabled site for a test.  Sendmail
> seems to be ignoring me.  I must have outworn my welcome.  I had to
> get a Gmail user to send me a message.  I also tried fastmail.fm, but
> they don't use any sort of domain authentication.

I see less than no sense for most free mail providers authenticating
mail from their own SMTP clients (mail senders), which might be why
most of the major free providers still don't.  Authentication would
encourage the recipients of mail from free provider users to reject
mail that does not come from the free provider's systems, which would
be a disservice for their many users who send mail from their home or
work PCs but with return addresses pointing to free provider mailboxes.
Forcing free provider users to send mail only from the free provider's
systems would also increase the bandwidth and processing costs of the
free provider.

Yes, the sender authentication FUSSP play book would have you believe
that the only free provider users who don't send from free provider
systems are spamemrs, but that's a lie along with the other lie that
all spam pointing to free provider mailboxes is forged for some or any
honest definition of "forged."


> Yes, the headers appear for dccm.  In fact, the added one is the
> first one in the list. 

I'm amazed by that good news...well, I hope it's good news, because
there are cases where not giving a milter exactly what came off the wire
would be a Very Bad Thing(tm).

> There is indeed a checksum:

>   substitute authentication: 28484ba1 a006ad50 68a14e04 3605c390

Then I think you're all set.


> > Could those individual entries in whiteclnt file(s) serve as your
> > "spam reputation database"?
>
> Yes, they could.  I know that the administrator can whitelist messages
> that way.  Is there a way for the administrator to blacklist that
> header but whitelist the envelope sender, for example?  I don't know
> that I'd really want to do that, but it might be useful for sites
> that have a reputation for spam.

Yes.   Whitelisting overrides blacklisting, and whatever is in a
per-user whiteclnt file overrides whatever is in the global
/var/dcc/whiteclnt file.



> What I meant was that RBL listing seems to ensure that messages are
> rejected.  Here's an example from a log:
>
>   SMTP envelope sender DNSBL hit 120.159.23.207.xbl.dnsbl
>   DCC-->spam  DNSBL-->spam  dccm  global

> I don't understand the connection.  Do counts work for the new
> authentication header?  I assume they don't for RBL listings.

Which "count" are those?  
The thresholds for the Body, Fuz1, Fuz2 body checksums are unrelated
to the thresholds for the other checksums.

And again, whitelisting overrides blacklisting,
and individual whiteclnt files override the global file.
In the current code, individual users have make individual choices for
thresholds for each of the checksums, whether to enable greylisting
or DNS blacklist checks, whether the MTA's answer (e.g. sendmail access_DB)
is considered before or after everything else, and so on.  The demo
of the proof of concept CGI scripts is supposed to show what I mean at
https://cgi-demo:cgi-demo@www.rhyolite.com/DCC-demo-cgi-bin

>                                                                For
> e-mail from a bank that used DKIM, for example, I might want to
> whitelist authenticated messages and reject everything else that
> purported to come from them.  Otherwise, unique phishing messages
> might get through to our users.  Is this possible now?

I think so.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.