Walt Reed (exim@???) said, in message
<20040206135346.GB16813@???>:
>
> > You could go further and make the tag cryptographically dependent on
> > the message ID or something, but I think it would be best to keep the
> > search simple.
>
> Why go through all the bother of the MD5 when you could just search for
> the message ID... If the included (not main) message ID doesn't match
> the pattern your servers generate, drop it. You don't even need to keep
> a record of message ID's - just the pattern.
I wanted to avoid a simple pattern match because it's not beyond the realms
of possibility that the next virus down the line reuses headers from messages
it's picked up off your machine. So I'd want my magic tag to have a strictly
limited lifespan.
At the same time don't want to be doing a substring search for any one of
the millions of exim message ID's that would be generated from our servers
during a week. Hence, I chose a tag that changes relatively slowly and is
hard to guess. Over 31 days you'd accumulate 744 hourly tags. 744 substring
lookups per bounce message doesn't sound like a lot of work.
I've been glancing through my little collection of bounce messages and
haven't found any that don't have full headers yet.
Tim's point about offsite users is probably the real gotcha. I suspect it's
a miniscule proportion of the dross, but I'm really going to have to think
about that one!
Cheers,
Alun.
--
Alun Jones auj@???
Systems Support, (01970) 62 2494
Information Services,
University of Wales, Aberystwyth