On Fri, 12 Oct 2007, Gary Mills wrote:
I see from a recent announcement that Yahoo and Ebay/Paypal are now supporting DKIM for e-mail domain authentication. Their stated purpose is to block e-mail sent to Yahoo users with forged Ebay or Paypal e-mail addresses. This implies that Yahoo will be blocking e-mail that has these forged addresses. In particular, Paypal phishing attempts have been very efficient in fooling users lately. I'm looking for a way to block those forgeries too, and still allow legitimate e-mail from those addresses to get through.
No...Because yahoo will be *signing* outbound emails, so that other people may flag emails from (and ostensibly not from) the yahoo official servers, this does not imply that they themselves will be using lack of such a signature to detect a forgery on their own end.
With DKIM, there will be three categories of e-mail that purport to have paypal.com senders. The first will have a DKIM signature that passes validation. The second will have one that fails validation. The third will not have the signature. I'd expect to treat the last two categories in the same way, assuming that Paypal have their DKIM signatures and keys set up correctly.
This would depend greatly on the Sender Signing Policy -- right now, the "policy" part of DKIM is still in draft status. The only bit that's an official RFC is the part that says HOW headers and messages are signed.
How should DCC treat such e-mail? This depends on the reputation of the e-mail domain owner with regard to spam. A company who's users are employees would be seen differently than an e-mail provider who's users are customers, because they have much less control over customers than over employees. Companies that specialize in spam would also need a unique reputation.
I don't think DCC should, at all.
For companies with strict reputations with regard to spam, I'd like to be able to whitelist the first category of e-mail. This setting would always allow legitimate e-mail to get through. For organizations with lesser reputations, I'd like to blacklist messages in the last two categories, but allow users to whitelist messages in the first category. DCC would need a mechanism to specify a different DKIM-based treatment for each e-mail domain name. Is such a thing possible with DCC?
This seems to be outside the purpose of DCC (although I invite VJS to contradict me on this). You might want to look at an appropriate plugin for your MTA -- the sendmail milter is incredibly useful, and authored by one of the people spearheading the standard.
http://sourceforge.net/projects/dkim-milter/ -Dan Mahoney -- "Hitler, Satan, those Hanson kids, anything. Just not the curious anteater." -Peter Scolari, as Wayne Szalinki in "Honey, I Shrunk The Kids--The Series" --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- _______________________________________________ DCC mailing list [email protected] http://www.rhyolite.com/mailman/listinfo/dcc
