> From: Gary Mills
> I finally got a message from a DKIM-enabled site for a test. Sendmail > seems to be ignoring me. I must have outworn my welcome. I had to > get a Gmail user to send me a message. I also tried fastmail.fm, but > they don't use any sort of domain authentication. I see less than no sense for most free mail providers authenticating mail from their own SMTP clients (mail senders), which might be why most of the major free providers still don't. Authentication would encourage the recipients of mail from free provider users to reject mail that does not come from the free provider's systems, which would be a disservice for their many users who send mail from their home or work PCs but with return addresses pointing to free provider mailboxes. Forcing free provider users to send mail only from the free provider's systems would also increase the bandwidth and processing costs of the free provider. Yes, the sender authentication FUSSP play book would have you believe that the only free provider users who don't send from free provider systems are spamemrs, but that's a lie along with the other lie that all spam pointing to free provider mailboxes is forged for some or any honest definition of "forged." > Yes, the headers appear for dccm. In fact, the added one is the > first one in the list. I'm amazed by that good news...well, I hope it's good news, because there are cases where not giving a milter exactly what came off the wire would be a Very Bad Thing(tm). > There is indeed a checksum: > substitute authentication: 28484ba1 a006ad50 68a14e04 3605c390 Then I think you're all set. > > Could those individual entries in whiteclnt file(s) serve as your > > "spam reputation database"? > > Yes, they could. I know that the administrator can whitelist messages > that way. Is there a way for the administrator to blacklist that > header but whitelist the envelope sender, for example? I don't know > that I'd really want to do that, but it might be useful for sites > that have a reputation for spam. Yes. Whitelisting overrides blacklisting, and whatever is in a per-user whiteclnt file overrides whatever is in the global /var/dcc/whiteclnt file. > What I meant was that RBL listing seems to ensure that messages are > rejected. Here's an example from a log: > > SMTP envelope sender DNSBL hit 120.159.23.207.xbl.dnsbl > DCC-->spam DNSBL-->spam dccm global > I don't understand the connection. Do counts work for the new > authentication header? I assume they don't for RBL listings. Which "count" are those? The thresholds for the Body, Fuz1, Fuz2 body checksums are unrelated to the thresholds for the other checksums. And again, whitelisting overrides blacklisting, and individual whiteclnt files override the global file. In the current code, individual users have make individual choices for thresholds for each of the checksums, whether to enable greylisting or DNS blacklist checks, whether the MTA's answer (e.g. sendmail access_DB) is considered before or after everything else, and so on. The demo of the proof of concept CGI scripts is supposed to show what I mean at https://cgi-demo:[EMAIL PROTECTED]/DCC-demo-cgi-bin > For > e-mail from a bank that used DKIM, for example, I might want to > whitelist authenticated messages and reject everything else that > purported to come from them. Otherwise, unique phishing messages > might get through to our users. Is this possible now? I think so. Vernon Schryver [EMAIL PROTECTED] _______________________________________________ DCC mailing list [email protected] http://www.rhyolite.com/mailman/listinfo/dcc
