MessageID's [was Re: [Mimedefang] Fw: [Sare-users] Spam with numbers in subj and b ody]

Paul Whittney pwhittney at net.arrivetech.com
Wed Jun 7 15:14:42 EDT 2006 

On Wed, Jun 07, 2006 at 10:29:57AM -0500, Damrose, Mark wrote:
> sendmail logs this, so you don't need to have a separate log in MD.

Good point. Couldn't see the wood for the trees...

> > Following this, I was thinking that having sort sort of 
> > signature, or fingerprint for an email (like nmap's 
> > fingerprints of OS's), but then I suppose this is what Razor 
> > (etc...) do?
> 
> This particular fingerprint would be from a little used program called MS
> Outlook Express.  Block this, and your volume of mail will go WAY down.

I admit, the choice of example was perhaps bad. But looking at it again,
there are a number of: %RNDUCCHAR2025 at hotmail.com as message ID's
(and it was said that lowercase characters, and your own domain in the
msg id, is most likely bad ... wish I could see how these spam programs
are constructed)

Also seeing:
k4SCN4F9002896,notspam,  5.743, {DIG}.20020101041053 at mail.ru


If we cannot drop on the lack of msg-id (based on the RFC2822), what
about the following:
  "The message identifier (msg-id) itself MUST be a globally unique
   identifier for a message.  The generator of the message identifier
   MUST guarantee that the msg-id is unique."

and thanks to the sendmail log, based on Mark's reply, I
can now check all the logs, not just the ones I added the MD logging to:
k398tDXj013286,notspam,  1.893, 000001c65bc7$a4580810$dccda8c0 at eui70
k398tHm7013291,notspam,  1.433, 000001c65bc7$a4580810$dccda8c0 at eui70
k3995KvM013303,notspam,  1.279, 000001c65bc7$a4580810$dccda8c0 at eui70
...
k4K46lIt008367,notspam,   5.54, bae701c67bc3$985a3f40$ab4887fa at barco.com
k4K51AC2008474,notspam,   5.54, bae701c67bc3$985a3f40$ab4887fa at barco.com

so, unless the sending machine is stuck, and sending the same email over
and over (possible, as AWL might be changing the scores), these are
against the RFC (yeah, I know, dropping based on not going by the RFC's
is just not going to work...)

Mind you, the amount of time/cpu to process all these, based on the 
amount of bad emails that it stops, doesn't seem to be worth it 
(and it increases the FP chance too I guess).

Ahh well. 

-Paul

-- 
Paul Whittney                                ArriveTech, Inc.
Network Specialist / Systems Engineer       / |3823 W 12th St, Suite A
                                           /--|Erie, PA, 16505, USA
PWhittney [at] arrivetech.com (Main)      /   |www.arrivetech.com 
PWhittney [at] net.arrivetech.com (Aux)  /    |Tel: 814 868 3306

More information about the MIMEDefang mailing list