I see from a recent announcement that Yahoo and Ebay/Paypal are now supporting DKIM for e-mail domain authentication. Their stated purpose is to block e-mail sent to Yahoo users with forged Ebay or Paypal e-mail addresses. This implies that Yahoo will be blocking e-mail that has these forged addresses. In particular, Paypal phishing attempts have been very efficient in fooling users lately. I'm looking for a way to block those forgeries too, and still allow legitimate e-mail from those addresses to get through.
With DKIM, there will be three categories of e-mail that purport to have paypal.com senders. The first will have a DKIM signature that passes validation. The second will have one that fails validation. The third will not have the signature. I'd expect to treat the last two categories in the same way, assuming that Paypal have their DKIM signatures and keys set up correctly. How should DCC treat such e-mail? This depends on the reputation of the e-mail domain owner with regard to spam. A company who's users are employees would be seen differently than an e-mail provider who's users are customers, because they have much less control over customers than over employees. Companies that specialize in spam would also need a unique reputation. For companies with strict reputations with regard to spam, I'd like to be able to whitelist the first category of e-mail. This setting would always allow legitimate e-mail to get through. For organizations with lesser reputations, I'd like to blacklist messages in the last two categories, but allow users to whitelist messages in the first category. DCC would need a mechanism to specify a different DKIM-based treatment for each e-mail domain name. Is such a thing possible with DCC? -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking- _______________________________________________ DCC mailing list [email protected] http://www.rhyolite.com/mailman/listinfo/dcc
