[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and b ody

[Joseph Brennan]

--On Wednesday, June 7, 2006 12:23 PM +1000 Stewart <mimedefang at f8.com.au> 
wrote:

> if ($MessageID =~ /<[a-z]+\@(columbia|COLUMBIA)/)

Of course you would put your own domain there-- this virus/spam
software puts the domain it is sending to in the Message-ID.  The
numbers thing is using small-letters domain, but some of the virus
variants used capitals.


> One is that i'm not 100% sure of the rules governing Message-ID
> construction but I gather from the discussion that the part after the  @
> has to be a proper hostname in some form, and that any @domain.name  can
> be safely rejected?

No!  For one thing just plain domain.com could be a hostname.  But
also, the Message-ID is not required to contain a hostname.

The format of Message-ID (see RFC 2822) boils down to "<", string,
"@", string, ">".  Therefore a Message-ID <abcdefg at columbia.edu> is
properly formed as per the standard.

However the purpose of Message-ID is to be a unique identifier, and
by ancient practice this is done by putting the sender's hostname in
the second string and something usually involving a timestamp in the
first string.  As a result we don't expect to see "columbia.edu" as
the second string, nor all small letters in the first string, so we
can reject on that.[*]


> Secondly, where did you put this test, in filter_begin|end|middle? :-)

It's in filter_begin().


[* In fact all small letters in the first string is never generated
by any legit mail client or server that I know of, so you could reject
on just simply:
   if ($MessageID =~ /<[a-z]+\@>/)
But there is at least one server, mailcity.com, that generates all
capital letters in its first string.  I don't know how this gets them
unique Message-IDs.]


Joseph Brennan
Columbia University Information Technology