DKIM becomes more official

Gary Mills mills@cc.umanitoba.ca
Sun Oct 28 14:31:27 UTC 2007


On Fri, Oct 26, 2007 at 12:18:15AM +0000, Vernon Schryver wrote:
> > From: Gary Mills 
> 
> > I finally got a message from a DKIM-enabled site for a test.  Sendmail
> > seems to be ignoring me.  I must have outworn my welcome.  I had to
> > get a Gmail user to send me a message.  I also tried fastmail.fm, but
> > they don't use any sort of domain authentication.
> 
> Yes, the sender authentication FUSSP play book would have you believe
> that the only free provider users who don't send from free provider
> systems are spamemrs, but that's a lie along with the other lie that
> all spam pointing to free provider mailboxes is forged for some or any
> honest definition of "forged."

Curiously, in my test from gmail.com, the envelope sender and the
`Sender' were gmail.com addresses, but the `From' was a local address.
Gmail.com used DKIM to authenticate all of those headers.  I assume
that means that they can't be forged.  The local sendmail milter
validated the DKIM signature.  So, replies go the the local address.
We provide forwarding facilities for those.

> > Yes, the headers appear for dccm.  In fact, the added one is the
> > first one in the list. 
> 
> I'm amazed by that good news...well, I hope it's good news, because
> there are cases where not giving a milter exactly what came off the wire
> would be a Very Bad Thing(tm).
> 
> > There is indeed a checksum:
> 
> >   substitute authentication: 28484ba1 a006ad50 68a14e04 3605c390
> 
> Then I think you're all set.

I think so.  I'm still thinking about spam reputations for e-mail
domains, and how to handle the e-mail with dccm.  In the case of a
bank, which never sends spam and has tight control over all of its
e-mail senders, I'd like to whitelist all e-mail from their domain
that passes validation, and reject everything else.  That would
eliminate the phishing messages that are so pervasive now.  The other
extreme would be an organization that specializes in spam and uses
DKIM signatures for their e-mail.  In that case, I'd like to reject
all of their e-mail, validated or not.  That seems way too easy.  Why
would such a company admit to sending spam and also use DKIM
signatures?  Cases occupying the middle ground would constitute the
majority of e-mail.  The rules get more complicated there.

> > What I meant was that RBL listing seems to ensure that messages are
> > rejected.  Here's an example from a log:
> >
> >   SMTP envelope sender DNSBL hit 120.159.23.207.xbl.dnsbl
> >   DCC-->spam  DNSBL-->spam  dccm  global
> 
> > I don't understand the connection.  Do counts work for the new
> > authentication header?  I assume they don't for RBL listings.
> 
> Which "count" are those?  
> The thresholds for the Body, Fuz1, Fuz2 body checksums are unrelated
> to the thresholds for the other checksums.

I'm assuming that there's a count accompanying each checksum, so that
whenever the count reaches the threshold, 100 in my case, the message
is rejected.  But there's no count associated with RBL listing.  How
is rejection determined in that case?

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.