procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Message Ids

2002-12-10 17:35:15
from [Dallman Ross] [Permanent Link] 
fleet(_at_)teachout(_dot_)org wrote:


On Tue, 10 Dec 2002 dman(_at_)nomotek(_dot_)com wrote:


Message-ID: <000d01c2718a$9c239b80$1f2c5b0c(_at_)sylvia>
Message-ID: <000b01c2718f$48e319a0$36325d0c(_at_)user>
Message-ID: <000701c2879d$ac759f00$02768144(_at_)hppav>
Message-ID: <003301c287d8$47e87ea0$8b325d0c(_at_)yourm5d4u9r2uv>


So, what was your question, again?  Oh, yeah:  Why doesn't Microsoft
conform to accepted standards and recommended procedures, was it?


No.  My question, which Sean has already answered, was why don't the
message IDs I see conform to the one Sean provided as an 
example.  


Well, fleet, when I read Sean's answer, what I thought to myself was,
"Good, he's said the same thing I did, but in other words."



When I grep for Message-ID on known spam I've received, I find
that about 50% of the Message-IDs contain my own server domain.
???


Yes, that implies that the mail was injected (at the SMTP port)
directly from the spammer's end and without a Message-ID.  Your
server ascribes one if none is present.  That's routine.  I use
that along with a more complex trust calculus in another recipe,

.........^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

as a matter of fact, as another of my spam-fighting recipes.


Then I could use a rule that said, in effect, if the 
Message-ID contains raq2.paxp.com (my server) then I can 
assume it is (highly probably) spam?


Why do I keep getting the feeling that you're not reading what I'm
writing?  NO, the relay server's (or your server's) Message-ID is,
alone, not enough to positively flag mail as spam.  As I wrote
before, and as Sean has since corroborated independently, much
list mail comes that way, for example.  Indeed, SpamCop.net's own
emailed report notifications arrive with my upstream SMTP server's
Message-ID: in the mail.

If you want to put together a recipe that bases initial suspicion
on the upstream server's being in the Message-ID, fine; and I do
that, too.  But if I stopped my analysis (or my recipe) there,
I'd have lots of false positives.

-- 
        "Weltbedenkend, örtlich lenkend!"
                -- Original von Dallman Ross



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Message Ids, parv
Next by Date:  RE: Message Ids, fleet
Previous by Thread:  Re: Message Ids, fleet
Next by Thread:  RE: Message Ids, fleet
Indexes:  [Date] [Thread] [Top] [All Lists]