Faked headers, etc. (was Re: [Mimedefang] Accuracy of infected IP in mdlog)
David F. Skoll
dfs at roaringpenguin.com
Mon May 17 09:04:35 EDT 2004
On Mon, 17 May 2004, Jerome Tytgat wrote:
> I was wondering now, if there's possibility to validate some fields
> in the Headers (or to unvalidate them) to alert about faked HELO,
> HEADERS, etc.
> Is there any possibility to warm about something which looks like faked ?
It's pretty difficult to do this accurately. SpamAssassin has some
rules that look for obviously-faked headers; the MIMEDefang slides
have some suggestions for detecting obviously-faked HELO arguments.
However, all of these rules can have false-positives. They also fall
into the realm of "policy" rather than "mechanism", so they are not
built into MIMEDefang by default.
Regards,
David.
More information about the MIMEDefang
mailing list