On Wed, Jun 07, 2006 at 10:29:57AM -0500, Damrose, Mark wrote:
> sendmail logs this, so you don't need to have a separate log in MD.
Good point. Couldn't see the wood for the trees...
> > Following this, I was thinking that having sort sort of
> > signature, or fingerprint for an email (like nmap's
> > fingerprints of OS's), but then I suppose this is what Razor
> > (etc...) do?
>
> This particular fingerprint would be from a little used program called MS
> Outlook Express. Block this, and your volume of mail will go WAY down.
I admit, the choice of example was perhaps bad. But looking at it again,
there are a number of: [EMAIL PROTECTED] as message ID's
(and it was said that lowercase characters, and your own domain in the
msg id, is most likely bad ... wish I could see how these spam programs
are constructed)
Also seeing:
k4SCN4F9002896,notspam, 5.743, [EMAIL PROTECTED]
If we cannot drop on the lack of msg-id (based on the RFC2822), what
about the following:
"The message identifier (msg-id) itself MUST be a globally unique
identifier for a message. The generator of the message identifier
MUST guarantee that the msg-id is unique."
and thanks to the sendmail log, based on Mark's reply, I
can now check all the logs, not just the ones I added the MD logging to:
k398tDXj013286,notspam, 1.893, [EMAIL PROTECTED]
k398tHm7013291,notspam, 1.433, [EMAIL PROTECTED]
k3995KvM013303,notspam, 1.279, [EMAIL PROTECTED]
...
k4K46lIt008367,notspam, 5.54, [EMAIL PROTECTED]
k4K51AC2008474,notspam, 5.54, [EMAIL PROTECTED]
so, unless the sending machine is stuck, and sending the same email over
and over (possible, as AWL might be changing the scores), these are
against the RFC (yeah, I know, dropping based on not going by the RFC's
is just not going to work...)
Mind you, the amount of time/cpu to process all these, based on the
amount of bad emails that it stops, doesn't seem to be worth it
(and it increases the FP chance too I guess).
Ahh well.
-Paul
--
Paul Whittney ArriveTech, Inc.
Network Specialist / Systems Engineer / |3823 W 12th St, Suite A
/--|Erie, PA, 16505, USA
PWhittney [at] arrivetech.com (Main) / |www.arrivetech.com
PWhittney [at] net.arrivetech.com (Aux) / |Tel: 814 868 3306
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
