I just learned of an issue we're having on a fail positive due to a hit on INVALID_MSGID (and that I'd jacked the score on that up to 20, but that's another story...). While I just learned of the issue today, it started a bit ago for this sender. Looking in the logs, I see the last message we received from them where the INVALID_MSGID rule was NOT hitting showed:
2005-04-05 12:52:18 1DIrHM-0004AH-Tp <= [EMAIL PROTECTED] H=(net1xans.agns.fr) [195.75.30.70] P=esmtp S=643141 id="/GUID:QPywoUg6DZ06+yvqCupCVJw*/G=Cam/S=Dowlat/OU=Corporate-Markham/O=Alc atel Cable/PRMD=ACAB/ADMD=ATTMAIL/C=CA/"@MHS But then it seems they changed the syntax their system uses to generate the Message-ID header so that now the INVALID_MSGID rule is matching. The logs showed: 2005-04-08 10:31:04 1DJuVf-0006hu-Sv SA: Action: permanently rejected message: score=21.1 required=5.0 trigger=10.0 (scanned in 4/4 secs | Message-Id: "-GUID:QnGodydG460CKmx35BCOvbw*-G=Cam-S=Dowlat-OU=Corporate-Markham-O=Alcate l Cable-PRMD=ACAB-ADMD=ATTMAIL-C=CA-"@MHS). From <[EMAIL PROTECTED]> (host=NULL [195.75.30.71]) for [EMAIL PROTECTED] [A different log file showed that the INVALID_MSGID was being hit for the rule in question.] So, looking at: "/GUID:QPywoUg6DZ06+yvqCupCVJw*/G=Cam/S=Dowlat/OU=Corporate-Markham/O=Alcate l Cable/PRMD=ACAB/ADMD=ATTMAIL/C=CA/"@MHS "-GUID:QnGodydG460CKmx35BCOvbw*-G=Cam-S=Dowlat-OU=Corporate-Markham-O=Alcate l Cable-PRMD=ACAB-ADMD=ATTMAIL-C=CA-"@MHS Side-by-side, it seems[1] that the only substantial difference between them is that they've replaced the "/" with "-". So I'm not certain why, if the 1st is valid, why the 2nd one would not be considered valid as well? The log entries shown occurred while we were still running 3.0.2. I upgraded to 3.0.3 earlier today[2], and the INVALID_MSGID is still firing against this message-id format from this sender. [1] I looked at the these log lines with hexdump -C, and at least in the log, the "space" was not some non-ascii character, and the - was really a -. [2] Since this issue seems unrelated to that, I can say we've had no problems with it so far :)
