[Mimedefang] Accuracy of infected IP in mdlog
Jerome Tytgat
jerome.tytgat at asterion.fr
Fri May 14 10:30:25 EDT 2004
> In summary, TCP packets can be forged, TCP connections can be spoofed and/or
> intercepted, SMTP sender addresses can be spoofed, Sendmail "received" headers
> can be spoofed, and remote systems can be taken over by malicious software or
> people. SMTP relays can be used to disguise the source of messages, or can be
> used to generate fake messages. Web applications can be abused to generate fake
> messages. Viruses can generate just about all of these.
I know all of that, I was just thinking that "Reiceved:" headers line are not
so generally spoofed than "from:" headers line. And I really think it's the
case when I look at the behaviour of virus which are in the wild.
So I think that alerting ISP that one IP of his domain is infected is not
a complete waste of time.
In fact my script permits me to do it once a week and it takes only 5 minutes.
But I have to redoo it because the base information I was using is wrong (MDLOG entries)
Even for stats reasons MDLOG entries cannot be trusted !
So I have to redoo mimedefang-filter to incorporate the received: lines...
Jerome.
More information about the MIMEDefang
mailing list