Mike Cardwell wrote:
>> Recently I have seen an influx of SPAM including a fake Received: from
>> header (not something new), but what is strange is the IP included is the
>> hosts actual IP address and not a fake one.
>> (Examples below)
>>
>> So I have been trying to work out how to add an ACL to be able to scan for
>> this - because as far as I am concerned I should never be receiving an
>> email from an IP address that includes "Received: from [<same IP>]".
>>
>> If someone could point me in the right direction of even let me know if
>> this is possible with the DATA ACL, that would be most appeciated.
>>
>> Examples:
>>
>> (My server is mailgate.freeparking.com)
>>
>> Received: from [82.133.13.138]
>> by mailgate.freeparking.com with esmtp (Exim 4.69 #1 (Debian))
>> id 1M8v2x-0004kL-3z
>> for <xx@???>; Tue, 26 May 2009 07:42:25 -0400
>> Received: from [82.133.13.138] by smtp1.agent-mail.net; Tue, 26 May 2009
>> 11:42:17 +0000
>> From: "Glenna Ford" <sghxvwi@???>
>> To: <xx@???>
>
> Perhaps a condition like this?
>
> condition = ${if eq{${if match{$h_Received:}{\Nfrom
> \[([\d\.]+)\]\N}{$1}{}}}{$sender_host_address}}
>
> Do plenty of testing first though... Especially tests involving local
> mail. You might want to exclude certain IPs.
Hmmm. Ignore my previous suggestion. The received header added by Exim
is already in $h_Received: variable by the time you get to the DATA ACL.
Perhaps stick a newline before "from" so you get the previous received
header:
condition = ${if eq{${if match{$h_Received:}{\N\nfrom
\[([\d\.]+)\]\N}{$1}{}}}{$sender_host_address}}
--
Mike Cardwell
(
https://secure.grepular.com/) (
http://perlcv.com/)