On 07/06/2006, at 2:05 AM, Joseph Brennan wrote:
I was wondering why we didn't see any! I put in effectively the same
thing in Mimedefang a long time ago. Bagle built Message-ID this same
way and we could swat them away without analyzing the body. This:
if ($MessageID =~ /<[a-z]+\@(columbia|COLUMBIA)/) {
md_graphdefang_log('virus','Bagle',$RelayAddr);
action_bounce("You are not columbia.edu");
return action_discard();
}
Hey that looks like a really good MD rule, and from what i'm seeing
of the numbers spam/virus here, it'll work a treat without burdening
SA with yet another body-test rule.. thanks for posting.
Forgive me though, i have a couple of newbie-sounding questions -
One is that i'm not 100% sure of the rules governing Message-ID
construction but I gather from the discussion that the part after the
@ has to be a proper hostname in some form, and that any @domain.name
can be safely rejected? (I had a quick trawl through my mail folders
comparing legit mail with this new malware one and this would
certainly appear to be the case - but if someone could point me at
the relevant RFC section i'd like to be able to say i know for sure..)
Secondly, where did you put this test, in filter_begin|end|middle? :-)
many thanks,
..S.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
