Lanny Jason Godsey wrote:
> And what good does finding the MX records for a domain have to do with
> knowing if received headers have traversed a valid sender IP address?
As stated, whitelisting or bypassing some blacklisting checks. I do not
consider using this as a blacklisting technique as it would have too many
high false positives, but false negative rate could be low.
I failed to mention that this type of check could award negative spam points
via spam assassin or whatever point based system is used. (actually forgot
about this point until after I sent the last email.
> Next, this is easy to defeat, as I can simply toss in a legit received
> line from a real paypal mail. That is unless you mean the current host
> and not previous hops?
Absolutely not, I wouldn't trust ANYTHING in the received headers except
what my system added and at that point I have direct access to that via the
ACL rules before DATA.
> --- Wakko Warner <wakko@???> wrote:
>
> > Marc Perkel wrote:
> > > Richard Clayton wrote:
> > > The sender is autoresponse@???
> > > But the sending server in the received lines is
> > accounting.paypal.com
> > >
> > > So - I want to grab just the "paypal.com" part can see if I can
> > find
> > > that in the received lines. It's part of my anti-phishing code. The
> > idea
> > > being that email from paypal.com will come from paypay servers
> > somewhere
> > > in received.
> >
> > What's so hard about this???
> >
> > mx custserv.paypal.com.
> > > custserv.paypal.com does not exist, try again
> > mx accounting.paypal.com.
> > > accounting.paypal.com does not exist, try again
> > mx paypal.com.
> > > paypal.com MX 10 smtp1.sc5.paypal.com
> > > paypal.com MX 10 smtp2.nix.paypal.com
> > > paypal.com MX 10 smtp1.nix.paypal.com
> > mx com.
> > > com MX record currently not present
> >
> > Just strip the subdomain off until you get an MX. How difficult
> > could that
> > be??? You can do this with embedded perl and it would be quite easy
> > to do.
> >
> > Or you could compare all MX's
> >
> > If you're wondering about say demon.co.uk:
> > mx demon.co.uk.
> > > demon.co.uk MX 5 lon1-hub-internal.mail.demon.net
> > > demon.co.uk MX 5
> > anchor-hub-internal.mail.demon.net
> > mx co.uk.
> > > co.uk MX record currently not present
> > mx uk.
> > > uk MX record currently not present
> >
> > I use a trailing . to force it not to look the domain up by using my
> > local
> > domain in /etc/resolv.conf
> >
> > --
> > Lab tests show that use of micro$oft causes cancer in lab animals
> > Got Gas???
> >
> > --
> > ## List details at http://www.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
> >
>
--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???