On Sat, 17 Nov 2018, David Jones wrote:
On 11/17/18 9:52 AM, John Hardin wrote:
From: John D. Smith <johnsm...@richland.edu> <cay...@corpmaqplast.com>
To: kdeu...@vianet.ca
Message-ID: <35706717752563516902.8f4660866aa84...@vianet.ca>
Couple of things:
1. Recent discussions on this mailing list showed me that the Message-ID
should never have the recipient's domain in it
That's not 100% true.
There is no requirement that the sender put a Message-ID on the message.
It is valid for your MTA to add a Message-ID onto a message that was
received without one. That is likely going to be done using your domain.
Sure. Real MTA/MUA's should be setting a Message-ID header else it will
look very spammy. Copiers, scanners, and other basic SMTP-enabled
devices often don't put all of the "standard" headers in their messages
so they have to be whitelisted safely.
My Postfix MTA doesn't add the Message-ID header and even if it did, it
would be something like "ena.net" that is not going to match the dozens
of domains that I filter.
Yeah, in your case it's probably safe to do in SA.
This strategy seems to have helped stop this type of spam so far without
over blocking.
I'd suggest a filter on Message-ID domain would be more appropriate at
the MTA level than in SA - if a message is received from outside with a
Message-ID having a domain that you control, reject it at that point,
before the possibility of adding a local one because it's missing
becomes a source of ambiguity.
I am using MailScanner so that is a drawback not being able to reject
during the SMTP conversation.
I don't consider MailScanner to be "at the MTA level". I'm not familiar
with PostScript but I'm sure there's a way to configure it to do a check
like that during the SMTP conversation before any external
message-processing tools are called.
I do try to reject as much as I can at
the MTA so MailScanner and SA only have to block the tough ones. Most
spam scores above 30 which is not going to be missed by anyone (not
something they are expecting to receive).
I do something similar with HELO. You might want to look into that too -
check your logs for the HELOs that spammers are using, there are
low-hanging fruit there (that I'm reluctant to discuss publicly).
Interesting. I may have to make some time over the holidays to research
this a bit more in my logs. My mail filtering is pretty spot on right
now but if anything gets through I will check the HELO details. Most of
the things that get through now are zero-hour messages from compromised
accounts so those HELO's are going to be good and everything else
(FCrDNS, SPF, DKIM, DMARC) will be legit and pass. I am thinking of
increasing the time on greylisting to give DCC and RBLs time to catch up
with compromise accounts.
2. Seems like there should be easy rules to detect more than one pair of
angle brackets and more than on at sign to add points to non-standard
display names.
There probably are. A big question is: does that appear enough in the
masscheck corpora to be promoted as a useful rule?
I think my ena-week[0-4] (past 5 weeks) masscheckers are still the
majority of the overall masscheck corpora. I need some help planting
email addresses out there that will attract more spam of differing types
or something. I definitely need to get more non-English spam in there.
Heh. Rather than (or in addition to) reject at the MTA level you should be
dumping them into your spam corpora (if you're not already doing that).
We also badly need non-English *ham*.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Usually Microsoft doesn't develop products, we buy products.
-- Arno Edelmann, Microsoft product manager
-----------------------------------------------------------------------
597 days since the first commercial re-flight of an orbital booster (SpaceX)
