[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and b ody

[Stewart]

On 07/06/2006, at 2:05 AM, Joseph Brennan wrote:

> I was wondering why we didn't see any!  I put in effectively the same
> thing in Mimedefang a long time ago.  Bagle built Message-ID this same
> way and we could swat them away without analyzing the body.  This:
>
>    if ($MessageID =~ /<[a-z]+\@(columbia|COLUMBIA)/) {
>        md_graphdefang_log('virus','Bagle',$RelayAddr);
>        action_bounce("You are not columbia.edu");
>        return action_discard();
>    }

Hey that looks like a really good MD rule, and from what i'm seeing  
of the numbers spam/virus here, it'll work a treat without burdening  
SA with yet another body-test rule.. thanks for posting.

Forgive me though, i have a couple of newbie-sounding questions -

One is that i'm not 100% sure of the rules governing Message-ID  
construction but I gather from the discussion that the part after the  
@ has to be a proper hostname in some form, and that any @domain.name  
can be safely rejected? (I had a quick trawl through my mail folders  
comparing legit mail with this new malware one and this would  
certainly appear to be the case - but if someone could point me at  
the relevant RFC section i'd like to be able to say i know for sure..)

Secondly, where did you put this test, in filter_begin|end|middle? :-)

many thanks,

..S.