Message-ID matching

Mariano Absatz el.baby at gmail.com
Mon Sep 13 20:58:32 IST 2004


On Fri, 10 Sep 2004 12:45:47 +0800, Mathias Koerber
<mathias.koerber at lightspeed.com.sg> wrote:
>         Date:         Sat, 4 Sep 2004 16:02:30 -0500
>         Reply-To:     MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>         From:         Alex Neuman van der Hans <alex at NKPANAMA.COM>
>         Subject:      Re: Message-ID matching
>
>
>         You can try the "bogus virus warnings" SpamAssassin rules. Works pretty
>         well most of the time.
>
> That may help some, but I am more after a generic solution which makes
> MailScanner remember the Message-IDs of messages sent out, so that replies
> that carry these in the references/in-reply-to are scored as much more
> likely being genuine than apparent replies which carry unknown Message-IDs.
>
> any hints?
>
> All I think would be required is
>
> a) a hook into MailScanner recording the Message-ID of outgoing messages
>    (just before handing them back to sendmail)
> b) a hook somewhere in the checking routine to check incoming messages
>    against known Ids (and a way to specify rules how to handle matches/
>    non-matches)
> c) some form of maintenance tool to purge the DB every now and then
>    (unless it can be a circular buffer overwriting the oldest entry
>    when full by itself).
>
> Secondly, many of the bounces we get are not virus warnings, but bounces
> because some virus somewhere sent email to nonexistent users/domains
> using a forged from: in our domain. From my cursory inspection the
> bogus virus warnings rules do not conver that..
Mmmmhhh you shouldn't get into those waters...

'Memory' is a _very_ dificult thing for a mail server, and if you have
more than one mailserver for outgoing and/or incoming mail, then
things get really worst.

Even though...  step b), in your proposal is incomplete... you have to
check those incoming messages ID's _ONLY_ for messages that are
bounces... not for EVERY incoming message... for instance, the
Message-Id of this message that has just been 'incoming' to your
server (so you can read it now) was completely unknown to your server,
that is, it never came out, cause it was generated outside...

You could do this check _ONLY_ for messages whose envelope from is
empty (SMTP 'MAIL FROM:<>'), but then, there are hundreds of brain
damaged mail servers out there that generate bounces and use
MAILER-DAEMON at domain or other similar stuff for envelope from (some of
them are wrongly configured because other stupid sysadmin before
thought that rejecting empty envelope froms would keep spam away...
well the chain of stupidity is almost limitless).

Then, you should also be sure that all valid mail with a from address
in your domain DID pass thru your outgoing MailScanners... maybe a
roaming user of your network sends mail from your domain using other
SMTP servers...

If I were you, I'd give a shot to "bogus virus warnings" SpamAssassin
rules from SARE before trying this stuff...



--
Mariano Absatz - El Baby
el (dot) baby (AT) gmail (dot) com
el (punto) baby (ARROBA:@) gmail (punto) com

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list