[Mimedefang] Accuracy of infected IP in mdlog

Jerome Tytgat jerome.tytgat at asterion.fr
Fri May 14 05:51:00 EDT 2004 

Hi,

I've noticed one bad thing with the IP which mimedefang report
as infected.

If the mail goes through several relay, it report last relay as being
infected, and obsviously, it's not this IP which is infected but the
sender.

For example :

Received: from smtp11.aaa.com.sg (smtp11.aaa.com.sg [xxx.21.6.21])
         by yyy.xxx.net (MIMEDefang) with ESMTP id i4C7xIA1022689
         for <userb at xxx.net>; Wed, 12 May 2004 09:59:22 +0200 (CEST)
Received: from ovscan11.singnet.com.sg (ovscan11.singnet.com.sg [xxx.21.101.101])
	  by smtp11.singnet.com.sg (8.12.11/8.12.11)
           with ESMTP id i4C7nTbJ028288;        Wed, 12 May 2004 15:49:39 +0800
Received: from smtp23.aaa.com.sg (smtp23.singnet.com.sg [xxx.21.101.203])
           by ovscan11.aaa.com.sg (8.12.11/8.12.11)
           with ESMTP id i4C7nL9p002183;      Wed, 12 May 2004 15:49:21 +0800
Received: from xtelap (qtns02923.aaa.com.sg [xxx.21.167.33])
           by smtp23.aaa.com.sg (8.12.11/8.12.11)
           with SMTP id i4C7mjJO031966; Wed, 12 May 2004 15:48:46 +0800
Date: Wed, 12 May 2004 15:48:45 +0800
Message-Id: <200405120748.i4C7mjJO031966 at smtp23.aaa.com.sg>
FROM: "MS Program Security Center" <zkrxaus at glisikvu.microsoft.com>
TO: "Customer" <lezcwgfq at glisikvu.microsoft.com>
SUBJECT: Internet Patch
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ukniuljvzoxhxvpp"
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Virus-Scanned-By: yyy.xxx.net, using SOPHIE & CLAMD
X-Virus-Flag: Yes
X-Virus-Info: xxx.21.6.21 is infected by Worm.Gibe.F
X-Virus-Debg: code=1 category=virus action=quarantine
X-Scanned-By: MIMEDefang 2.42

Mimedefang report in syslog :
May 12 09:59:22 yyy mimedefang.pl[30173]: MDLOG,i4C7xIA1022689,virus,Worm.Gibe.F,xxx.21.6.21,<usere at aaa.com.sg>,<userb at xxx.net>,Internet Patch

So it thinks xxx.21.6.21 is the infected computer but in reality it's xxx.21.167.33,
just because the mail has gone thru several relays.

It's even more problematic when you use fecthmail to pop mail to sendmail :

Received: from localhost (localhost [127.0.0.1])
         by localhost (MIMEDefang) with ESMTP id i4BIBQuj003232
         for <usera at localhost>; Tue, 11 May 2004 20:11:26 +0200 (CEST)
X-Original-To: userc at bbb.net
Delivered-To: userc at bbb.net
Received: from bbb.bbb.net [xxx.4.16.71]  by localhost with POP3 (fetchmail-6.2.5)
           for usera at localhost (single-drop); Tue, 11 May 2004 20:11:26 +0200 (CEST)
Received: from eee.com (Appp-102-1-1-165.wxxx-253.abo.ccc.fr [xxx.253.242.165])
           by bbb.bbb.net (Postfix) with SMTP id 3BCAB18259C
           for <userc at bbb.net>; Tue, 11 May 2004 20:06:35 +0200 (CEST)
Date: Tue, 11 May 2004 20:06:41 +0100
To: "userc" <userc at bbb.net>
From: "userd" <userd at ddd.fr>
Subject: Fax Message Received
Message-ID: <ojzcwbctgkzkjbljnws at bbb.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;        boundary="--------vjsehghxjteodipdwoey"
X-Virus-Scanned-By: yyy.xxx.net, using SOPHIE & CLAMD
X-Virus-Flag: Yes
X-Virus-Info: 127.0.0.1 is infected by W32/Bagle-AA
X-Virus-Debg: code=1 category=virus action=quarantine
X-Scanned-By: MIMEDefang 2.42

Mimedefang thinks it's 127.0.0.1 which is infected... but in fact it's xxx.253.242.165...

Maybe mimedefang should take care of these Received lines ?

Any pros and cons ??

Thanks

Jerome

PS : emails and IP obfuscated to preserve privacy.

More information about the MIMEDefang mailing list