stanr(_at_)sunspot(_dot_)tiac(_dot_)net said:
At 05:31 AM 4/26/98 -0400, gsutter(_at_)pobox(_dot_)com wrote:
What legitimate mail clients don't add a Message-Id:? If they don't,
they're violating RFC 822.
No, it's optional.
I've just scanned my mail for messages where the domain in the
From: line is not contained in the domain of the Message-ID:.
There a quite a lot that are not spam and which don't match.
Here's my hack in case anyone else wants to try (assumes one
message per file as I use MH):
#!/bin/sh
# see if domain in Message-ID: matches From: domain
# usage chkmsg file [morefiles]
for f
do
fromdom=`sed -n
'/^From:.*@/{s/(_dot_)*(_at_)\([-._0-9a-zA-Z]*\).*/\1/;p;q;}' $i`
msgdom=`sed -n '/^Message-[iI][dD]:.*@/{s/.*@//;s/>$//;p;q;}' $i`
fromdom=`echo $fromdom | tr A-Z a-z`
msgdom=`echo $msgdom | tr A-Z a-z`
match=`expr $msgdom : ".*\($fromdom\)"`
[ "$fromdom" != "$match" ] && echo $f $fromdom $msgdom $match
done
As soon as I have distributed mail from mailing lists to the
appropriate folder, I send all Bcc'd mail to one of my
junk folders with the following:
:0 w: bcc/$LOCKEXT
* !TO(grpalias1|alias2|alias3)@(host1|host2)(\.optdomain|)\.co\.uk
| rcvstore +bcc
However, I'm getting more spam these days that is delivered to
me individually. I don't quite understand why they bother. Surely
they should want the people who are more likely to complain and otherwise
make trouble, to avoid getting the spam, i.e. make it easy to
filter out?
The only way I can filter mail like this:
Received: from spm2.vgernet.net ([206.25.237.102]) by punt-3.mail.demon.net
id aa3226660; 25 Apr 98 5:00 BST
Message-id: <893476838(_dot_)3226660(_dot_)0(_at_)spm2(_dot_)vgernet(_dot_)net>
Date: Sat, 25 Apr 1998 08:19:45
From: <Look-Here(_at_)YourOpportunity(_dot_)net>
To: <paul(_at_)argo(_dot_)demon(_dot_)co(_dot_)uk>
Subject: Make $14,920 With No Out Of Pocket Expense!!!
$14,920.00
Cash in Your Pocket!
[snip]
would seem to be by content based filtering. The fact that the
message-id is put in by the relay is a hint, but would give me
too many false positives to automate.
Any ideas?
Instead of reacting to all this, it would be nice to be proactive
and start scanning for open relays and informing them that
they are likely to be abused, before the spammers get to them.
How about a "find-and-close-the-relays week"?
Cheers,
Paul