on that Message-ID pattern

[Justin Mason <jm...@jmason.org>]

That Dan and Scott have been bashing their heads against.  It turns out
the ratware has other patterns that are far easier to spot:

  1. it uses the rDNS name of the sending machine in it's HELO.  Since it
  sends direct-to-MX from dialup pools, this means the recent patterns I
  checked in (for rDNS used as HELO from a dialup pool) will catch it.

  2. there are a number of other Received header patterns I can spot.
  For example, sometimes it forges a line like this:

	Received: from [IPADDR] by IPADDR with ESMTP...

IP addresses are never used in the "by" hostname.

I'll take a look later on today after $DAYJOB, and see if I can come up
with some rules.

Also, I've checked in a script that I've used in the past to help
developing rules that correlate headers.  it's in as
masses/rule-dev/maildir-scan-headers .

--j.