At 11:28 2002-12-10 -0500, fleet(_at_)teachout(_dot_)org wrote:
All of the above originated on Windows machines using some version of
outlook. I suppose the first field could be mailer versions, but I don't
see any date-time strings.
When I posted a breakdown of the messageid from one of my posts, it was an
example for that specific mailer. The point was that part of the coding
was the date & time. Datestamps can take many forms - a seconds tick count
is one possibility.
The hostname used in messageids you provided are probably the unqualified
local machine name.
When I grep for Message-ID on known spam I've received, I find that about
50% of the Message-IDs contain my own server domain. ???
A standards-compliant mail server will receive a message and go "hey,
there's no messageID - the sender it a yutz, but to make this message
compliant, I'll just insert one of my own."
Sendmail is one MTA which performs this fixup.
There are a sufficient number of mailing lists out there that are so hosed
as to not provide a message-id on their outbound messages (less of an issue
with discussion lists such as this one - chiefly it is a problem with
outbound-only lists), so if you're going to whack email because it isn't
_from_ your domain but contains a locally generated messageid, I'd think again.
I emit "spam advisories" to my procmail log for recipes which are
informational only - things like "may be forged", "interspersed received
headers", "code suffix on subject", and "foreign submission with local
messageid". One could instead use the various advisories as scording
recipes which add a low value to the spam weight of the message, and in
conjunction with other criteria, could be enough to push a marginal message
across the threshold to identified spam.
Here's a sampling of Message-ID based recipes I use:
# Flag messages that don't have an @ symbol in them...
# Message-ID missing @
:0
* ADVISORIES ?? on
* ! ^Message-Id:.*\@
{
LOG="SPAM: Advisory - Message-ID missing @ separator$SPAMVER"
}
# Null body Message-ID
:0
* ^Message-Id:\>*$
{
LOG="SPAM: Null body Message-Id$SPAMVER"
:0:
|gzip -9fc >> spam.gz
}
# Message-ID is same as FROM. Common in some spams.
# also, not particularly RFC822 compliant (since such a blatant duplication
# of the address as the messageid would invalidate uniqueness on subsequent
# messages).
:0
* $ ^Message-Id:[ ]\<$FROM\>
{
LOG="SPAM: Message-Id *IS* FROM address$SPAMVER"
:0:
|gzip -9fc >> spam.gz
}
# Message-Id has leading whitespace INSIDE the id
:0
* ^Message-Id:[ ]<[ ]
{
LOG="SPAM: Bad Message-Id format$SPAMVER"
:0:
|gzip -9fc >> spam.gz
}
# Message-Id header not even present.
# (unlikely to occur if your mailserver fixes the message to be RFC822
# compliant by adding such a header)
:0
* ! ^Message-Id:
{
LOG="SPAM: Message-Id not present$SPAMVER"
:0:
|gzip -9fc >> spam.gz
}
# Compliments of Era...
# Apparently, a massively-malformed Message-Id. Typical of cyberpromo...
:0
* ^Message-Id:[ ]*([^< ]|<>)
{
LOG="SPAM: Massively-malformed Message-Id$SPAMVER"
:0:
|gzip -9fc >> spam.gz
}
# if you have multiple domains hosted by your mailserver, you should add them
# all to the From line. This could be beefed up to check received: lines as
# well.
:0
* ADVISORIES ?? on
* ^Message-Id:.*mydomain\.tld
* ! ^From.*@(.*\.|)(mydomain\.tld|myotherdomain\.tld)
{
LOG="SPAM: Advisory - foreign submission with local messageid$SPAMVER"
}
An example of a domain-specific forgery checker (Note however that I am not
putting this forward as a generic check for anyone else to use):
:0
* ^From:.*@(.*\.|)yahoo\.com
* ! ^Message-Id:.*yahoo(mail|)\.com
{
LOG="SPAM: forged Yahoo$SPAMVER"
:0:
|gzip -9fc >> spam.gz
}
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail