[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and b ody
Stewart
mimedefang at f8.com.au
Tue Jun 6 22:23:12 EDT 2006
On 07/06/2006, at 2:05 AM, Joseph Brennan wrote:
> I was wondering why we didn't see any! I put in effectively the same
> thing in Mimedefang a long time ago. Bagle built Message-ID this same
> way and we could swat them away without analyzing the body. This:
>
> if ($MessageID =~ /<[a-z]+\@(columbia|COLUMBIA)/) {
> md_graphdefang_log('virus','Bagle',$RelayAddr);
> action_bounce("You are not columbia.edu");
> return action_discard();
> }
Hey that looks like a really good MD rule, and from what i'm seeing
of the numbers spam/virus here, it'll work a treat without burdening
SA with yet another body-test rule.. thanks for posting.
Forgive me though, i have a couple of newbie-sounding questions -
One is that i'm not 100% sure of the rules governing Message-ID
construction but I gather from the discussion that the part after the
@ has to be a proper hostname in some form, and that any @domain.name
can be safely rejected? (I had a quick trawl through my mail folders
comparing legit mail with this new malware one and this would
certainly appear to be the case - but if someone could point me at
the relevant RFC section i'd like to be able to say i know for sure..)
Secondly, where did you put this test, in filter_begin|end|middle? :-)
many thanks,
..S.
More information about the MIMEDefang
mailing list