Re: [exim] Data ACL - Received: from header

Góra strony
Delete this message
Reply to this message
Autor: Mark Little
Data:  
Dla: B. Johannessen
CC: exim-users
Temat: Re: [exim] Data ACL - Received: from header
On Wed, 27 May 2009 23:57:52 +0200, "B. Johannessen" <bob@???> wrote:
> Mark Little wrote:
>> Recently I have seen an influx of SPAM including a fake Received: from
>> header (not something new), but what is strange is the IP included is

the
>> hosts actual IP address and not a fake one.
>> (Examples below)
>>
>> So I have been trying to work out how to add an ACL to be able to scan
>> for
>> this - because as far as I am concerned I should never be receiving an
>> email from an IP address that includes "Received: from [<same IP>]".
>
> Don't! There are legitimate reasons for such headers.
>



Hey,

I was playing around with it and have found so far only two cases (out of
200+ caught) that were legitimate emails, so I believe I am on to something
but I believe you are right and I want to get this down further.

I am now playing with detecting Received: from [<sender IP>] but excluding
if [<sender IP>].+[<sender IP>] or [<sender IP>].+[127.0.0.1] are present.
All the spammer examples I have seen only include the one IP, so I may
reduce this to just excluding if there is a second [<ip.address>] on the
line.


Thoughts?

Cheers,
Mark