Am 2018-02-17 00:46, schrieb Amir Caspi:
On Feb 16, 2018, at 4:41 PM, John Hardin <jhar...@impsec.org> wrote:
Not necessarily safe. If your MTA receives a message without a
Message-ID, it is supposed to generate one. And if it does so, it will
probably do so using your (recipient) domain...
Wouldn't this also FP on messages internal to the domain, i.e., sent
from one user to another on the same domain?
(Also, my Message-IDs don't seem to have this same format. Nor do
yours.)
--- Amir
Theoretically, yes. However, if you look carefully at the different
parts of the rule, you can see, that the probability for a FP is very
low.
- the TO field is a simple address not enclosed in <>
- the Message-ID has a special syntax found very seldom (check your
logs)
- the header field Message-ID must come immediately after the To field
- the boundary used at the moment is one of the Microsoft boundaries
If you use amavisd you could check the log with
perl -ne 'print if /> -> <[^@]+\@([^>]+)>.+Message-ID:
<\d{8,13}\.201[78]\d{5,11}\@\1/' logfile
This not exactly the same rule because it uses the envelope recipient,
but it shows if this sort of spam is relevant for you.
--
Michael
