On further researching the two non-German mails that hit Dave's qmail rule, I found that one was definitely spam (though not German) and the other was likely spam in Korean. So I take back what I said about it hitting ham; what I mean is that it will hit other things than these particular German spams.
It is worth considering a variation on this rule as a Qmail spoofing test. True Qmail-generated Message-ID's appear to contain only digits and periods before the qmail@ string; everything I have seen containing alphas, either lowercase or uppercase, has been a spoofed header. I apologize for any confusion my quick response caused. I should have researched it more thoroughly first. Pierre Thomson BIC -----Original Message----- From: David B Funk [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 5:06 PM To: Pierre Thomson Cc: [EMAIL PROTECTED] Subject: RE: Flooded by spam in German On Fri, 11 Jun 2004, Pierre Thomson wrote: > It absolutely WILL hit on ham. I gave Message-id =~ /qmail\@/ a score of 2.0 > which seems to help axe the German propaganda without generating FP's. > > So far today we have seen 19 emails hit the qmail@ rule, of which only two > triggered the other German spam rules. > > Pierre Thomson > BIC Would you mind sharing with us more details about the ham that it hit? (EG full headers with recipient names munged). I checked a corpus of 549117 messages, found 14198 qmail message-ids, only 25 of those hit Dave's rule. Of those 25, 21 were the German spam (or bounces thereof) 3 were some other kind of botched virus attack and 1 was some other kind of spam. So altho it did hit more than just the German spam the other hits were garbage too, so -no- FPs here for that rule. My SMTP server has a dialup/DUL/dynamic-IP filter and it has been blocking thousands of these things. -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
