Larry, I think you're right, might be a bug for that rule. Here's from a message I sent a bit ago, and it didn't hit the MSGID_GOOD_EXCHANGE.
Message-ID: <[EMAIL PROTECTED]> It has a forty char string. The other thing in that rule is (if I'm reading it correctly, a regex tends to gimme a headache sometimes.) that it is looking for A-Z in the string, but the Message-ID appears to only come through in hex. Granted this is from an Exchange 5.5 server, so an Exchange 2000/2003 machine might produce different results. Can anybody verify/dispute the stuff about the Message-ID string? <rant> IMHO, I think finding out if a message is legit carries just as much weight as finding out if it is crap. If I can combine x amount of tests to verify that it's legitimately from an Exchange server, it would be worth it from the perspective that I could maybe side line those message for a more thorough review to see if they are a FP. That, and if a spammer has to spend time (i.e. money) to figure out how to hit my rule for a small point knock off, I've at least succeeded in making there life just a little more miserable :) </rant> Mike -----Original Message----- From: Larry Gilson [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 6:49 AM To: '[EMAIL PROTECTED]' Subject: RE: [SAtalk] [RD] MSGID_GOOD_EXCHANGE Hey Mike, > -----Original Message----- > From: Mike Kuentz (2 > Good call, I'm sorry I missed that. What a shame, I was > hoping I was on to something, if nothing other than > solidifying the MSGID_GOOD_EXCHANGE rule. Oh well, back to > the drawing board! > > Mike I am curious, does MSGID_GOOD_EXCHANGE even work? I see the test in 20_compensate.cf. The match is as follows: Message-Id =~ /^<[EMAIL PROTECTED]>$/ However, most Exchange Message-Ids I see are in the form of: Message-ID: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> The match seems like it should be more like: Message-Id =~ /^<[A-Z0-9]{36,[EMAIL PROTECTED]>$/ You could create your own meta rules. The following are possible examples. Exchange 5.5 Received =~ /by.*with Internet Mail Service \(5\.5\.\d{4}\.d{2}\)/ Exchange 2K/2K3 X-MimeOLE =~ /Produced By Microsoft Exchange V6\.5\.\d{4}\.d{2}/ You have to ask yourself in the end though if these tests really help identify a legitimate message. --Larry ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
