Experience with DKIM signatures and DCC

Vernon Schryver vjs@calcite.rhyolite.com
Sat Mar 29 18:42:57 UTC 2008


> From: Gary Mills <mills@cc.umanitoba.ca>

> We are using Spamhaus' XBL, and are happy to pay for it.  

Since you are already using the XBL, I think you should switch to
Spamhaus' ZEN unless you are checking the XBL via dccm, dccproc, or
dccifd.  Even if you are using `dccm -B`, you should enable ZEN checks
on SMTP clients and on MX servers for SMTP envelope domains with something 
like this in /var/dcc/dcc_conf
DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 %ID %BT http://www.spamhaus.org/query/bl?ip=%BIP' -Bsbl-xbl.spamhaus.org -Bset:no-NS -Bzen.spamhaus.org"

That is because ZEN/PBL includes IP addresses of legitimate DNS servers
and so should not be used for the default dccm, dccproc, or dccifd DNSBL
checks on NS records.


>                                                           What I'm
> looking for now is something that rates domain names by reputation.
> Spamhaus was working on such a database, but I haven't heard anything
> about that for some time.  My main concern is to stop the phishing
> messages that rely on forged sender addresses.

An anti-phishing domain name reputation service is a hard problem,
because the bad guys continually create floods of new names and work
hard to cover their tracks.  Listing bad domains soon enough to help
or even before the bad guys have abandoned them would be hard.  The bad
guys also vary ("fast flux") the IP addresses of their SMTP clients,
HTTP servers, and even leaf DNS servers, but they are generally constrained
to IP addresses listed in Spamhaus' ZEN/PBL and they cannot change their
IP addresses in the gTLDs as quickly.  I see lots of hits by the dccm
checks of NS records.  Body checks of URLs (including NS RRs) are also
quite effective.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.