It was posted on this list a few days ago. Since you're the second person to ask about it I'll re-post it. The general form is:
header GERMANSPAM MESSAGEID =~ /^<[EMAIL PROTECTED]>/ describe GERMANSPAM Contains forged Qmail Message-ID score GERMANSPAM 3.0 # adjust to taste! It's now included in the SARE header0 rule set, according to Robert Menschel. Pierre Thomson BIC -----Original Message----- From: Wess [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 15, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: Re: Flooded by spam in German Stucki, Would you mind posting the qmail-Message-ID filter you are using? Thanks! On Tue, 2004-06-15 at 10:58, Chr. von Stuckrad wrote: On Tue, Jun 15, 2004 at 04:45:42PM +0200, Ralf Guenthner wrote: > it would be great, if SARE came up with a comprehensive ruleset for this > right-wing drivel. I've already made up my own for the time being, but > I'm not very good with regex, so I guess it can be done more efficiently?! : The rule which checks for the forged qmail-Message-ID[1] worked pefectly here, and is only one Check/Pattern instead of a big meta-Rule. (It was on the list, onl this thread...) So we removed the big rule and kept only the small and NOTHING more came through (so far). So I presume, we can avoid the big pattern-list (at least for a while :-) Stucki [1] Qmail *always* uses numeric unix-date/time for the Message-ID as in <[EMAIL PROTECTED]> the forgery contains hexadecimals in the 'numeric' time/date-string.
