Is it safe to write a rule that triggers on the content of the Message ID header?
Yes...
I frequently see things coming in which have message IDs that include the domain name of the target mail system, rather than the source mail system. If I remember correctly, the message ID should always be the source....
You might want to look at the MSG_ID_ADDED_BY_MTA_* series of rules that shipped with 2.5x
Unfortunately there is still quite a bit of legitimate mail that fails to insert message ID's like it should. My last was a webinar announcement from Wind River (makers of the VxWork RTOS).
Also a lot of broken vacation messages match this, but that's no loss, IMO sites which allow vacation rules that respond to list posts should be blacklisted.
Just because the RFC says MUST doesn't mean that all legitamate mailers will follow the standard. Let's face it, spec violations are common. Even your own email server plays loose with the specs by HELOing as svr06.rafte.com, which forward resolves to a different IP address than it really is...
Received: from 216-136-48-238.gen.twtelecom.net (HELO svr06.rafte.com) (216.136.48.238)
by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 05 Jan 2005 09:26:35 -0800
$host svr06.rafte.com svr06.rafte.com has address 216.136.48.228
Technicaly, if possible, you should HELO with your full hostname, which forward resolves. If not possible, the spec allows you to insert some other string, but by heloing as a resolvable hostname which resolves to a different IP you've engaged in what appears to be HELO forgery.
