Autor: Mark Little Data: Dla: B. Johannessen CC: exim-users Temat: Re: [exim] Data ACL - Received: from header
On Wed, 27 May 2009 23:57:52 +0200, "B. Johannessen" <bob@???> wrote: > Mark Little wrote:
>> Recently I have seen an influx of SPAM including a fake Received: from
>> header (not something new), but what is strange is the IP included is the >> hosts actual IP address and not a fake one.
>> (Examples below)
>>
>> So I have been trying to work out how to add an ACL to be able to scan
>> for
>> this - because as far as I am concerned I should never be receiving an
>> email from an IP address that includes "Received: from [<same IP>]".
>
> Don't! There are legitimate reasons for such headers.
>
Hey,
I was playing around with it and have found so far only two cases (out of
200+ caught) that were legitimate emails, so I believe I am on to something
but I believe you are right and I want to get this down further.
I am now playing with detecting Received: from [<sender IP>] but excluding
if [<sender IP>].+[<sender IP>] or [<sender IP>].+[127.0.0.1] are present.
All the spammer examples I have seen only include the one IP, so I may
reduce this to just excluding if there is a second [<ip.address>] on the
line.