--On Wednesday, June 7, 2006 12:23 PM +1000 Stewart <[EMAIL PROTECTED]> wrote:
if ($MessageID =~ /<[a-z]+\@(columbia|COLUMBIA)/)
Of course you would put your own domain there-- this virus/spam software puts the domain it is sending to in the Message-ID. The numbers thing is using small-letters domain, but some of the virus variants used capitals.
One is that i'm not 100% sure of the rules governing Message-ID construction but I gather from the discussion that the part after the @ has to be a proper hostname in some form, and that any @domain.name can be safely rejected?
No! For one thing just plain domain.com could be a hostname. But also, the Message-ID is not required to contain a hostname. The format of Message-ID (see RFC 2822) boils down to "<", string, "@", string, ">". Therefore a Message-ID <[EMAIL PROTECTED]> is properly formed as per the standard. However the purpose of Message-ID is to be a unique identifier, and by ancient practice this is done by putting the sender's hostname in the second string and something usually involving a timestamp in the first string. As a result we don't expect to see "columbia.edu" as the second string, nor all small letters in the first string, so we can reject on that.[*]
Secondly, where did you put this test, in filter_begin|end|middle? :-)
It's in filter_begin(). [* In fact all small letters in the first string is never generated by any legit mail client or server that I know of, so you could reject on just simply: if ($MessageID =~ /<[a-z]+\@>/) But there is at least one server, mailcity.com, that generates all capital letters in its first string. I don't know how this gets them unique Message-IDs.] Joseph Brennan Columbia University Information Technology _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
