Re: [exim] Data ACL - Received: from header

On Wed, 27 May 2009, B. Johannessen wrote:

| Mark Little wrote:
| > Recently I have seen an influx of SPAM including a fake Received: from
| > header (not something new), but what is strange is the IP included is the
| > hosts actual IP address and not a fake one.
| > (Examples below)
| >
| > So I have been trying to work out how to add an ACL to be able to scan for
| > this - because as far as I am concerned I should never be receiving an
| > email from an IP address that includes "Received: from [<same IP>]".
|
| Don't! There are legitimate reasons for such headers.

We've had a signature like this running for a year or two. Specifically,
if a mail arrives with an existing Received: header claiming something
already received it from the IP that connected to us ($sender_host_address).

There's a few places whitelisted for doing this legitemately.

Originally this caught quite a lot of spam, but looking now, the pattern
isn't hugely common.