Re: Malformed spam email gets through.

2018-01-03 Thread @lbutlr 
On 03 Jan 2018, at 04:57, Matus UHLAR - fantomas  wrote:
> while it's "only" recommended that the right part is a domain name, but
> there must be right part.

Yes, there must be a left and a right and an ‘@‘ in-between.

On 03 Jan 2018, at 12:36, Bill Cole  
wrote:
> About 1.5% of my personal non-spam email over the past 20 years has had 
> "localhost" as the right hand side of the MID. This implies a de facto RFC 
> violation because it poses a real risk of duplication.

There is no requirement that the right side be globally unique, just that the 
entire message ID is globally unique.

> An additional ~1% has a MID header with either no dots or no '@'.

Dots are irrelevant, but the way I read the RFC, ‘@‘ is required.

-- 
No Sigs. Blame Apple.

Re: Malformed spam email gets through.

2018-01-03 Thread Ian Zimmerman 
On 2018-01-03 14:36, Bill Cole wrote:

> I have run an environment where each MTA node in the external gateway
> layer would add a MID with its own FQDN to any message passing through
> missing a MID. Those names could not be resolved in the world at
> large, but they were absolutely valid and guaranteed unique.

This is what I do with my personal outgoing messages.  Free 3rd level
DNs are available at freedns.org and I use a bogus (from the DNS POV)
4th level name under one of those, distinct for each host, as the RHS in
my Message-ID.  There's no good reason to use "localhost" or
"localdomain".

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: Malformed spam email gets through.

2018-01-03 Thread Bill Cole 

On 2 Jan 2018, at 20:39, Alex wrote:

Is it possible to at least enforce that the message-ID has a valid 
domain?


Not reliably.

About 1.5% of my personal non-spam email over the past 20 years has had 
"localhost" as the right hand side of the MID. This implies a de facto 
RFC violation because it poses a real risk of duplication.


An additional ~1% has a MID header with either no dots or no '@'. This 
includes mail from Facebook, Seagate, Apple, one of my credit unions, a 
medical supply house that we buy from for my son's care, GMX (German 
freemail provider), multiple regulars on a private mailing list of 
old-timer anti-spam nutcases, the postmaster of LinkedIn sending 
personal mail with his linkedin.com address via GMail, iFixit, Verizon's 
SMS->Email gateway, and multiple ESPs including Eloqua and Digital 
River. At least one recent version of CommuniGate Pro (6.1.2) generated 
event invitations with a bare UUID as the MID.


In other words: a significant number of messages, largely legitimate 
transactional messages, lack a FQDN in the MID.


I have run an environment where each MTA node in the external gateway 
layer would add a MID with its own FQDN to any message passing through 
missing a MID. Those names could not be resolved in the world at large, 
but they were absolutely valid and guaranteed unique.

Re: Malformed spam email gets through.

2018-01-03 Thread Matus UHLAR - fantomas 

On 1 Jan 2018, at 10:47, Matus UHLAR - fantomas uh...@fantomas.sk> wrote:



On 1 Jan 2018, at 11:41 (-0500), Matus UHLAR - fantomas wrote:

the gross format in RFCs 822,2822 and 5322 describes message-id consisting
of local and domain part, thus is must contain "@".


On 01.01.18 12:17, Bill Cole wrote:

No, it does not. Re-read the cited sections. From RFC5322, the ABNF definition:

 msg-id  =   [CFWS] "<" id-left "@" id-right ">" [CFWS]


this is the part that says message-id must consist of local and domain
parts.


On 02.01.18 13:44, @lbutlr wrote:

No, it doesn't say anything like that.


ok, let's rephrase that: it says that the message-id consists of two parts
and the "@" between them.


As I already posted:


5322 specifically states: "Though other algorithms will work, it is
RECOMMENDED that the right-hand side contain some domain identifier
(either of the host itself or otherwise) such that the generator of the
message identifier can guarantee the uniqueness of the left-hand side
within the scope of that domain."

There is no requirement to include a local and domain part in any part of a 
Message-ID.


while it's "only" recommended that the right part is a domain name, but
there must be right part.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.

Re: Malformed spam email gets through.

2018-01-03 Thread Antony Stone 
On Wednesday 03 January 2018 at 02:39:54, Alex wrote:

> Hi,
> 
> Is it possible to at least enforce that the message-ID has a valid domain?

If by "enforce" you mean "require" (in other words, you look at whatever 
message-ID the incoming email has, and you decide that if it doesn't contain a 
valid domain, then it is suspicious), then yes, you can.

However, this requirement is not stipulated by current RFCs, therefore you may 
well be falsely marking legitimate email.

Only a check of the incoming mail you receive, to see whether "message ID 
contains no valid domain" is a reliable indicator of spam, can tell you 
whether it's a good idea to do this on your mail filtering.

The example quoted below is entirely RFC-conformant.


Antony.,

> Received: from thomas-krueger.local
> (221.208.196.104.bc.googleusercontent.com. [104.196.208.221])
> by smtp-relay.gmail.com with ESMTPS id
> r16sm1186220uai.7.2017.12.28.18.04.13
> for 
> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
> Thu, 28 Dec 2017 18:04:14 -0800 (PST)
> X-Relaying-Domain: janda02.com
> Message-ID: <5b974eb73ed9c2d1b630f4b600191771@zfimvuyb.gwbba>
> From: "Apple Store" 
> To: 
> 
> On Tue, Jan 2, 2018 at 5:41 PM, @lbutlr  wrote:
> > On 2 Jan 2018, at 04:26, Rupert Gallagher r...@protonmail.com> wrote:
> >> Note taken. We still abide to the duties and recommendations, and expect
> >> well-behaved servers do the same, by identifying themselves. We
> >> cross-check, and if they lie, we block them.
> > 
> > rejecting because they spoof a domain in the MID is one thing. Rejecting
> > an email because you misunderstood the RFC and don't see a valid domain
> > name is an entirely different thing.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

   Please reply to the list;
 please *don't* CC me.