spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David B Funk <>
Subject Re: Direct download link detection
Date Tue, 25 Jul 2017 15:28:41 GMT
If the original message actually had that message-ID form when it arrived at the 
OP's mail MX server, then your assessment makes sense.

However it's entirely possible that message-ID was added by the OP's mail server 
because the incoming message had no message-ID to begin with. There's 
insufficient information in that pastbin example to tell.

I've got my MX servers config'd to use a specific tagged message-id in this kind 
of situation so I can tell exactly what happened.

I used to hit this situation (missing incoming message-ID) hard but then found 
there to be too many FPs on legit mail and had to tone it down.

On Tue, 25 Jul 2017, Rupert Gallagher wrote:

> Before bothering with body spam, make sure the header is clear. The specific email should have
been rejected upfront,
> because the foreign sender's message-id pretends to originate from the recipient's
smtp server. 
> Sent from ProtonMail Mobile
> On Tue, Jul 25, 2017 at 12:00 AM, Alex <> wrote:
>       Hi, We're currently experiencing a new spam campaign that involves some text pertaining
to invoicing then a
>       link that immediately downloads a Word macro file.
What would be involved
>       in following these links in SA to determine if they immediately download a file
(other than a web page)?
>       Would that even be a reliable indicator? This isn't the first time I've seen such
an approach. This one's
>       probably already on some blacklists, but I'm still blocking others:
>       Alex

Dave Funk                                  University of Iowa
<dbfunk (at)>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message