[Mimedefang] Accuracy of infected IP in mdlog
Jerome Tytgat
jerome.tytgat at asterion.fr
Mon May 17 06:55:56 EDT 2004
>
> MIMEDefang never tries to tell you wich system is infected. It just logs the address of the relay that connected your sendmail server.
Ok I missed that point.
> Before you decide to not trust MIMEDefang's log lines, it would be a good idea for you to find out what they are supposed to contain. Nowhere in trhe docs for MIMEDefang does it say *anything* about MIMEDefang logging the IPs of infected computers.
Again I thought it was that...
>
> And since MIMEDefang doen't analyze Received-headers unless you implement it yourself in your filter, how on earth do you expect MIMEDefang to have even the slightest idea about any relays other than the one the address of wich MIMEDefang gets from sendmail?
It doesn't analyze them, you are right.
Maybe I'm wrong but I thought mimedefang was more than just milter
who pass mails to clamav/spamassassin.
I thought we can do some correlation about headers, validating from fields,
validating Helo, and other things.
Maybe it does not exist right now, but it's maybe a good idea to try
to correlate some information in the HEADERS, if it's possible.
By no mean I'm saying that I can do it, but I suggest it.
I don't know if it's possible, I believe it is, I might be wrong.
Jerome
More information about the MIMEDefang
mailing list