On 2016-10-07, Hardy <bulk@???> wrote: > Hi folks,
>
> 2nd Stage DNS blocking
Let me describe: > We receive spam via the usual MTA chain. Sometimes we receive mail from
> (free) mail providers like gmail and yahoo. Sometimes we fetchmail these
> latter ones to feed them to our MX.
> We only check the connecting server, and in some of the examples above
> it might even be trusted. But that one was tricked to take spam before.
> Random samples show me: We would not have taken most of the spam from
> the intermediate or even originating MTA or sender. I would like to run
> these "Received from" addresses against dnslists and/or blacklists in files.
> You obviously cannot do this before the acl data. I am not a regex wiz,
> and I think one needs an external script anyway to extract IPs. Hints?
> Ideas?
> Has anyone done before?
Barracuda spam firewall does this, which can be a problem for road
warriors.
see also RFC5321 section 3.7.2
"Received:" header fields of messages originating from other
environments may not conform exactly to this specification. However,
the most important use of Received: lines is for debugging mail
faults, and this debugging can be severely hampered by well-meaning
gateways that try to "fix" a Received: line. As another consequence
of trace header fields arising in non-SMTP environments, receiving
systems MUST NOT reject mail based on the format of a trace header
field and SHOULD be extremely robust in the light of unexpected
information or formats in those header fields.