On 11/17/18 9:52 AM, John Hardin wrote: >> From: John D. Smith <johnsm...@richland.edu> <cay...@corpmaqplast.com> >> To: kdeu...@vianet.ca >> Message-ID: <35706717752563516902.8f4660866aa84...@vianet.ca> >> >> Couple of things: >> 1. Recent discussions on this mailing list showed me that the Message-ID >> should never have the recipient's domain in it > > That's not 100% true. > > There is no requirement that the sender put a Message-ID on the message. > It is valid for your MTA to add a Message-ID onto a message that was > received without one. That is likely going to be done using your domain. >
Sure. Real MTA/MUA's should be setting a Message-ID header else it will look very spammy. Copiers, scanners, and other basic SMTP-enabled devices often don't put all of the "standard" headers in their messages so they have to be whitelisted safely. My Postfix MTA doesn't add the Message-ID header and even if it did, it would be something like "ena.net" that is not going to match the dozens of domains that I filter. This strategy seems to have helped stop this type of spam so far without over blocking. > I'd suggest a filter on Message-ID domain would be more appropriate at > the MTA level than in SA - if a message is received from outside with a > Message-ID having a domain that you control, reject it at that point, > before the possibility of adding a local one because it's missing > becomes a source of ambiguity. > I am using MailScanner so that is a drawback not being able to reject during the SMTP conversation. I do try to reject as much as I can at the MTA so MailScanner and SA only have to block the tough ones. Most spam scores above 30 which is not going to be missed by anyone (not something they are expecting to receive). > I do something similar with HELO. You might want to look into that too - > check your logs for the HELOs that spammers are using, there are > low-hanging fruit there (that I'm reluctant to discuss publicly). > Interesting. I may have to make some time over the holidays to research this a bit more in my logs. My mail filtering is pretty spot on right now but if anything gets through I will check the HELO details. Most of the things that get through now are zero-hour messages from compromised accounts so those HELO's are going to be good and everything else (FCrDNS, SPF, DKIM, DMARC) will be legit and pass. I am thinking of increasing the time on greylisting to give DCC and RBLs time to catch up with compromise accounts. >> 2. Seems like there should be easy rules to detect more than one pair of >> angle brackets and more than on at sign to add points to non-standard >> display names. > > There probably are. A big question is: does that appear enough in the > masscheck corpora to be promoted as a useful rule? > I think my ena-week[0-4] (past 5 weeks) masscheckers are still the majority of the overall masscheck corpora. I need some help planting email addresses out there that will attract more spam of differing types or something. I definitely need to get more non-English spam in there. -- David Jones
