Dieser Blogeintrag wurde ursprünglich auf veröffentlich.

If you are running your own mail services, you might already have noticed, that there is a lot of SPAM originating (or actually faking) from addresses. The layout of the mails is mostly the same all the time. The subject will have something like „Fw: News!“ or just „Fw: “ in it and the mail body usually starts with „Hello! http://<some bogus url>“ or similar. Following the link will bring you to some „lose some weight“ pages- I haven’t analyzed if some malware is propagated through them.

If you are having issues to filter these kind of mails with your anti-SPAM system, here is a simple and fast solution to block these mails. After analyzing the mail headers, I found that the spammers are doing something very specific with the Message-ID of these mails. The Message-ID of the mails always look like this: <[email protected] <fromaddress>.

This is not, how a message id should look like, so I set up a header check in my Postfix configuration. This simple regular expression will solve the issue:

/^Message-ID: <.*@aol\.com <.*@.*>.*/i DISCARD Illegal Message-ID SPAM

Your mailserver will still accept the mail, but will silently discard if the mail holds one of these illegal message ids.

Hinterlasse einen Kommentar

Dein Kommentar*

Dein Name*
Deine Webseite