On Wed, 9 Jun 2004, Paolo Cravero as2594 wrote:

> Hi.
> I just received a spam of which I copy here a part of headers. It
> slipped though a postfix+SA2.62 installation (basic SA with Bayes).
>
>
> Most of the message text was in a embedded picture, and a lot of CSS.
>
>
> What surprises me is the presence of X-UIDL header in a SMTP envelope.
> Moreover the X-UIDL value is non-numeric! Has anyone blocked this thing?
> Any special rule? (I can write my own if there's none around) Any reason
> why it is there?!
[snip..]

I've seen X-UIDL headers used by legimate mail-list sites, but they
were all long (10-40 character) hexidecimal numbers.

I've seen a modest amount of spam use those 'garbage' X-UIDL headers
and created this rule:

header L_BAD_UIDL       X-UIDL =~ /\W\W/
describe L_BAD_UIDL     Bad UIDL header
score L_BAD_UIDL        2.5

Havn't seen any FPs from it so far.

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Reply via email to