[Mimedefang] Accuracy of infected IP in mdlog

Jerome Tytgat jerome.tytgat at asterion.fr
Fri May 14 10:30:25 EDT 2004


> In summary, TCP packets can be forged, TCP connections can be spoofed and/or
> intercepted, SMTP sender addresses can be spoofed, Sendmail "received" headers
> can be spoofed, and remote systems can be taken over by malicious software or
> people.  SMTP relays can be used to disguise the source of messages, or can be
> used to generate fake messages.  Web applications can be abused to generate fake
> messages.  Viruses can generate just about all of these.

I know all of that, I was just thinking that "Reiceved:" headers line are not
so generally spoofed than "from:" headers line. And I really think it's the
case when I look at the behaviour of virus which are in the wild.

So I think that alerting ISP that one IP of his domain is infected is not
a complete waste of time.

In fact my script permits me to do it once a week and it takes only 5 minutes.

But I have to redoo it because the base information I was using is wrong (MDLOG entries)

Even for stats reasons MDLOG entries cannot be trusted !

So I have to redoo mimedefang-filter to incorporate the received: lines...


Jerome.



More information about the MIMEDefang mailing list