[Mimedefang] Real sender address ??

Thu Dec 4 01:48:33 EST 2003

On Wed, 3 Dec 2003, J.P van Oyen wrote:

> Received: from pop2.telyte.nl (pop2.telyte.nl [113.212.125.231])
>         by smtp3.telyte.nl (8.12.10/8.12.10) with ESMTP id hB3ECWYY027729
>         for <name at tld.nl>; Wed, 3 Dec 2003 14:12:32 +0100
> Received: from smtp2.telebyte.nl (smtp1.telyte.nl [113.212.125.21])
>         by pop2.telyte.nl (8.12.10/8.12.10) with ESMTP id hB3ECNl7021059;
>         Wed, 3 Dec 2003 14:12:25 +0100
> Received: from cp73380-a.venlo1.lb.home.nl (cp73380-a.venlo1.lb.home.nl
> [217.123.170.18])
>         by smtp2.telyte.nl (8.12.10/8.12.10) with SMTP id hB3ECK5H028915;
>         Wed, 3 Dec 2003 14:12:21 +0100
> Received: from [180.96.42.130] by cp73380-a.venlo1.lb.home.nl with ESMTP id
> B8FAEC3D9DE; Tue, 02 Dec 2003 20:14:53 -0500
>
> It should contain than 180.96.42.130  (first Received: from)
>
> This would be nice to determin country of origin/first post as long as its not
> faked etc.. Now I have to do it with $RelayAddr which can also be a secondairy
> mail server so given more false results.

As David already lined out, it makes no sense to find the _first_
Received: Header (because all these headers are inserted by the sender
and are possibly fakes), but the first entry you know is good.
In your situtation, I guess, you control all the *telyte.nl hosts, hence,
it would be RealRelay == cp73380-a.venlo1.lb.home.nl. Actually, an
attacker might even add faked Recieved headers with _your_ relay, hence,
you must parse and interprete each Received header in sequence and must
decide, if that makes sense.

Bye,

-- 
Steffen Kaiser