Pierre Thomson <[EMAIL PROTECTED]> wrote:
> It is worth considering a variation on this rule as a Qmail
> spoofing test. True Qmail-generated Message-ID's appear to
> contain only digits and periods before the qmail@ string;
> everything I have seen containing alphas, either lowercase or
> uppercase, has been a spoofed header.
In fact, the format seems to be even more restrictive than
that. Its a 14-digit timestamp in the format YYYYMMDDHHMMSS,
then a dot, then a process ID (not sure what the possible range
for that could be), then '.qmail@', then the hostname. So it
should match this regex:
/[EMAIL PROTECTED]/
or, if you want to be even more specific (remove line breaks):
/^20\d\d(?:0[1-9]|1[0-2])(?:0[1-9]|[12]\d|3[01])
(?:[01]\d|2[0-3])(?:[0-5]\d){2}\.\d+\.qmail\@
(?:[A-Za-z\d](?:[A-Za-z\d-]*[A-Za-z\d])?\.)+[A-Za-z]{2,6}$/
I suppose if you wanted to get even more complicated you could
check to make sure the date part isn't something like April 31,
or February 29 in a nonleap year, and even see whether the date
is within some range of the current time (especially not too
far in the future). I doubt the extra complication will catch
enough spam to be work it, though. In fact, my first regex is
probably plenty.
--
Keith C. Ivey <[EMAIL PROTECTED]>
Washington, DC
