[Mimedefang] Accuracy of infected IP in mdlog

David F. Skoll dfs at roaringpenguin.com
Fri May 14 09:29:26 EDT 2004 

On Fri, 14 May 2004, Jerome Tytgat wrote:

> how do you know about the originating IP adress so ??

Like I wrote: Received lines can be faked.  However, you could add code
to parse the Received lines until you see the first one that isn't the IP
address of a trusted host (eg, your host or a secondary MX machine.)
We have code like that in our CanIt product; it looks something like the
code below.  You need to define functions from_secondary_mx and
from_localhost that return true if an IP address is that of one of
your secondary MX machines, or of the localhost.

However, I'm not sure what the point is of knowing which IP address is
infected.  You can probably pick ten Windoze boxes at random, and
three of them will be infected...

Regards,

David.

#***********************************************************************
# %PROCEDURE: get_real_relay_from_received_headers
# %ARGUMENTS:
#  None
# %RETURNS:
#  The "real" relay as parsed from Received: headers if it could
#  be determined, undef if not.  The "real" relay is the first IP
#  address in the Received: from a.b.c.d list that isn't localhost
#  or a secondary MX machine.  THIS COULD BE FOOLED by a host that
#  puts 1.2.3.4 in the HELO string!
#***********************************************************************
sub get_real_relay_from_received_headers () {
    open(HDRS, "<./HEADERS") or return undef;
    while(<HDRS>) {
	chomp;

	# Only look at "Received:" lines
	next unless /^Received:\s*from/i;

	# From most-preferred to least-preferred, where a.b.c.d is an IP addr:
	# ([a.b.c.d])
	# <space>[a.b.c.d])
	# [a.b.c.d]
	# (a.b.c.d)
	# @a.b.c.d
	# <space>a.b.c.d<space>
	# a.b.c.d
	if (/\(\[(\d+\.\d+\.\d+\.\d+)\]\)/  or
	    /\s+\[(\d+\.\d+\.\d+\.\d+)\]\)/ or
	    /\[(\d+\.\d+\.\d+\.\d+)\]/      or
	    /\((\d+\.\d+\.\d+\.\d+)\)/      or
	    /\@(\d+\.\d+\.\d+\.\d+)/        or
	    /\s+(\d+\.\d+\.\d+\.\d+)\s+/    or
	    /(\d+\.\d+\.\d+\.\d+)/) {
	    my $addr = $1;
	    if (!from_secondary_mx($addr) &&
		!from_localhost($addr)) {
		close(HDRS);
		return $addr;
	    }
	} else {
	    # No match... weird Micro$oft header, no doubt...
	    close(HDRS);
	    return undef;
	}
    }
    close(HDRS);
    return undef;
}

Regards,

David.

More information about the MIMEDefang mailing list