Hello Steve, Matt,
Wednesday, January 5, 2005, 10:27:32 AM, you wrote:
MK> At 12:26 PM 1/5/2005, Steve Bondy wrote:
>>Is it safe to write a rule that triggers on the content of the Message
>>ID header?
MK> Yes...
Agreed.
>>I frequently see things coming in which have message IDs that
>>include the domain name of the target mail system, rather than the
>>source mail system. If I remember correctly, the message ID should
>>always be the source....
Also agreed with all the others -- this simple a rule does not work.
The SARE header rules files include several message-id rules that test
for patterns that are found in spam but not non-spam. Examples:
header SARE_MSGID_LONG MESSAGEID =~ /<.{135,}>/
describe SARE_MSGID_LONG Message ID is too long.
score SARE_MSGID_LONG 1.183
#hist SARE_MSGID_LONG Jesse Houwing, August 20 2004
#max SARE_MSGID_LONG 90s/0h of 70699 corpus (43133s/27566h RM)
10/02/04
#counts SARE_MSGID_LONG 16s/0h of 38748 corpus (15267s/23481h
JH-SA3.0rc1) 08/19/04
#counts SARE_MSGID_LONG 7s/0h of 34763 corpus (18647s/16116h MY)
08/25/04
header SARE_MSGID_SHORT MESSAGEID =~ /^.{1,6}$/
describe SARE_MSGID_SHORT Message ID is too short to be valid.
score SARE_MSGID_SHORT 3.333
#stype SARE_MSGID_SHORT spamgg
#hist SARE_MSGID_SHORT RM_hm_ShortMsgid6
#counts SARE_MSGID_SHORT 8s/0h of 68491 corpus (41115s/27376h RM)
09/18/04
#max SARE_MSGID_SHORT 191s/0h of 115925 corpus (94616s/21309h)
05/01/04
#counts SARE_MSGID_SHORT 24s/0h of 38398 corpus (14914s/23484h JH)
08/14/04 TM2 SA3.0-pre2
#counts SARE_MSGID_SHORT 68s/0h of 17050 corpus (14617s/2433h MY)
08/08/04
If you find any other combinations that can be used to identify spam,
we're definitely interested in testing them.
Bob Menschel
