SPAM and blank MessageID entries in Log.nsf

hcl-bot · August 1, 2006, 2:00pm

Below is a one sample of a large number of messages we are receiving where the log shows a blank MessageID “(MessageID: ) received”. For most cases, this ends up being SPAM. In the header of the message the MessageID contains “LocalDomain”. Is there any legitimate reason why this field should be LocalDomain and not the domain of the sending host? Also, is there any way of filtering via rules (I have Chris Linfoot’s enhanced mail rules implemented at our site)? I don’t see anything here that distinguishes this from a legit message.

I’m receiving a number of entries in my SMTP server log as follows:

08/01/2006 02:05:40 PM SMTP Server: iu102.bbs.com.pl (80.51.221.102) connected

08/01/2006 02:05:43 PM SMTP Server: Message 006366A4 (MessageID: ) received

08/01/2006 02:05:43 PM SMTP Server: Message 006366BC (MessageID: ) received

08/01/2006 02:05:43 PM SMTP Server: iu102.bbs.com.pl (80.51.221.102) disconnected. 1 message[s] received

The headers for the message are as follows:

Received: from 102.221.51.80.bbs.com.pl ([80.51.221.102])

      by mydomain.com (Lotus Domino Release 7.0.1FP1)

      with ESMTP id 2006080114054300-4924 ;

      Tue, 1 Aug 2006 14:05:43 -0400

From: “Abel Larkin” barry@01systems.com

To: a.localuser@mydomain.com

Subject: Join the Anatrim revolution

Date: Tue, 1 Aug 2006 18:04:56 -0480

MIME-Version: 1.0

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2527

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527

X-MIMETrack: Itemize by SMTP Server on MyDominoServer(Release 7.0.1FP1|April 17, 2006) at

08/01/2006 02:05:43 PM,

	 Serialize by Notes Client on James Johnston(Release 7.0.1|January 17, 2006) at

08/01/2006 02:39:50 PM,

	 Serialize complete at 08/01/2006 02:39:50 PM

Message-ID: OF3621A7D9.47757576-ON852571BD.006366BC@LocalDomain

Content-Type: multipart/alternative;

	 boundary="----=_NextPart_000_006A_01C6B5D8.0D58BAC0"

This is a multi-part message in MIME format.

hcl-bot · August 2, 2006, 4:01am

Subject: SPAM and blank MessageID entries in Log.nsf

It would not be too difficult to extend the enhanced mail rules to examine message ID, stored in the MIME as Message-ID and in the Notes document as a field, $MessageID.

However, the message ID in your sample is not null even though the spam was submitted to you with no message ID. The reason is that where message ID is absent, Domino will generate one. The generated one is derived from the Notes UNID with @LocalDomain appended.

This may be a useful spam indicator. Not the @LocalDomain part as I suspect that many badly implemented but legitimate remote senders will use something like that, but the Notes UNID which would only be there in a non-locally originated message if that message had been submitted with no message ID.

I’m not sure how you would structure a rule based on looking for a message ID structured thyis way in a non-locally originated message.

However, the submitting host is currently listed in a number of DNSBLs, including Spamcop…

hcl-bot · August 2, 2006, 1:39pm

Subject: RE: SPAM and blank MessageID entries in Log.nsf

Hi Chris. Good to hear from you.

The problem is that we’re seeing some spam before it gets listed on the DNSBLs. We’ve just recently disabled our offsite MX (BTW thanks for the “spam bible”), so I’m praying/hoping our “popularity” will eventually wane. We’ve got the local BL, server rules, and kSpam enabled.

I was hoping for some distinguishing characteristics for which I could set a rule. kSpam (w Bayesian) does not catch everything.

Another issue is the embedded image spam and how to filter/block it.