[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and b ody
Joseph Brennan
brennan at columbia.edu
Tue Jun 6 23:58:12 EDT 2006
--On Wednesday, June 7, 2006 12:23 PM +1000 Stewart <mimedefang at f8.com.au>
wrote:
> if ($MessageID =~ /<[a-z]+\@(columbia|COLUMBIA)/)
Of course you would put your own domain there-- this virus/spam
software puts the domain it is sending to in the Message-ID. The
numbers thing is using small-letters domain, but some of the virus
variants used capitals.
> One is that i'm not 100% sure of the rules governing Message-ID
> construction but I gather from the discussion that the part after the @
> has to be a proper hostname in some form, and that any @domain.name can
> be safely rejected?
No! For one thing just plain domain.com could be a hostname. But
also, the Message-ID is not required to contain a hostname.
The format of Message-ID (see RFC 2822) boils down to "<", string,
"@", string, ">". Therefore a Message-ID <abcdefg at columbia.edu> is
properly formed as per the standard.
However the purpose of Message-ID is to be a unique identifier, and
by ancient practice this is done by putting the sender's hostname in
the second string and something usually involving a timestamp in the
first string. As a result we don't expect to see "columbia.edu" as
the second string, nor all small letters in the first string, so we
can reject on that.[*]
> Secondly, where did you put this test, in filter_begin|end|middle? :-)
It's in filter_begin().
[* In fact all small letters in the first string is never generated
by any legit mail client or server that I know of, so you could reject
on just simply:
if ($MessageID =~ /<[a-z]+\@>/)
But there is at least one server, mailcity.com, that generates all
capital letters in its first string. I don't know how this gets them
unique Message-IDs.]
Joseph Brennan
Columbia University Information Technology
More information about the MIMEDefang
mailing list