[Mimedefang] Accuracy of infected IP in mdlog
Jonas Eckerman
jonas_lists at frukt.org
Mon May 17 06:51:33 EDT 2004
On Mon, 17 May 2004 09:15:39 +0200, Jerome Tytgat wrote:
> > Actually, MIMEDefang's log lines are very accurate, but you
> > were searching for information that MIMEDefang doesn't even
> > know about.
> I don't think so, the information appears in the Headers but is
> just ignored.
Exactly. MIMEDefang completely ignores the headers, and therefore doesn't know about any info that might be found there.
If you want MIMEDefang to analyze the headers, you have to implement it yourself in your filter.
Personally, I have implemented this, but not for virus mails. My filter does analyze Received-headers in order to find if mails have passed through blacklisted relays or if a relay hase used a forged HELO when sending to our mail backup.
Programmatically checking all Received lines in order to find out wich PC is infected by a virus is a lot more difficult though. This is partly because there's no single standard all relays follow when creating Received-headers (compare Sendmail to Exim for example) and partly because faked Received-headers are so common.
/Jonas
--
Jonas Eckerman, jonas_lists at frukt.org
http://www.fsdb.org/
More information about the MIMEDefang
mailing list