Re: DKIM

Sat, 06 Nov 2010 09:48:27 -0700 

On 11/6/2010 11:16 AM, Stan Hoeppner wrote:

Noel Jones put forth on 11/6/2010 10:05 AM:

On 11/6/2010 9:04 AM, Wietse Venema wrote:

There's already demand for DNS lookups for header substrings. This
resulted in a header_checks plugin by Sahil, if I recall correctly.

Native support for DNS lookups from header_checks fragments could
look like this:


I think it's premature to design DNS lookups into header checks.
Sahil's header_checks plugin works, but -- at least for me -- blocks
very little additional spam, about 1 per thousand messages received.
I'm not sure it's worth the effort of adding native support.  And of
course Sahil's plugin could be easily modified to pre-load DKIM keys if
that's found to be useful.


In all fairness this is relative.  IIRC cleanup processes header checks
after all other restrictions have run.  Thus checkdbl.pl is run after
all other defensive checks, so it's going to catch little spam, assuming
the rest of your A/S config is decent/aggressive.  Correct?


Yes, correct.



This is I wanted to be able to use it as a FILTER action, which didn't
seem to work when I tried it.  If it could be made to run as a FILTER
action you could put it wherever you want in the restrictions order.
Even as things are now, for me, even if it only catches 1 spam per
recipient address a day, it's worth running because that spam made it
past all my other checks.
The checkdbl.pl reject rate is far less than 1 per recipient per day here. Any rule that only rejects 1 out of 1000 messages that pass prior rules -- regardless of the reason -- is ripe for a cost/benefit review.
and upon further review, the few rejected are not always clearly spam, but possibly legit marketing mail. Yes, there is such a thing. 





I'd rather see postfix effort on supporting (pseudo-)?regexp or IP range
for the dnsbl/dnswl result filters, which seems more generally useful.


I'm scratching my head trying to think of how this would be used.  A
client connects, you query the client IP against a dns[w/b]l, take some
action upon a hit.  How does a regex or IP range come into play here?
I'm not accusing you of being on crack Noel.  I just can't think of a
usage scenario.  Maybe it's due this darn cold I picked up... :(
dnswl and other whitelists indicate the class or reliability of a client with the result IP. There has been discussion about allowing a range or regexp rather than a static IP result filter to fine-tune the match. 


  -- Noel Jones

Reply via email to