> Is it safe to write a rule that triggers on the content of the Message
> ID header?
Sure.
> I frequently see things coming in which have message IDs that include
> the domain name of the target mail system, rather than the source mail
> system. If I remember correctly, the message ID should always be the
> source....
I don't recall any such rule, although there may be one. In general the system
that inserts the message-id header will insert itself as the domain part. Many
spams, coming directly from zombie machines to the target domain, won't have a
message-id, so it will be inserted by the target SMTP handler.
If you know your own domain name (and it isn't a large ISP) then you might be
able to write a rule that will work fairly well. I wouldn't score it very high
though, since for instance one of your users sending mail to another user on
your system will have your system insert the message-id.
Loren
