[Mimedefang] resend_message question

[Charles Mount]

I manage a set of internal mailhubs in a large company.  The corporate
policy states that all mail to the internet must go through one of these
mail hubs and then through a set of relays in the DMZ.
The mailhubs are all running Sendmail Switch with MimeDefang and
SpamAssassin.
We use a fairly normal two firewall DMZ setup.   The firewalls are
configured to only allow mail between the internal mail hub and the DMZ
relay to travel through the inside firewall and only mail to/from the DMZ
relays to travel through the external firewall.   Both firewall layers are
configured to proxy any other email attempting to get to the internet back
to the internal mailhub.
My job is to identify all computers and processes which are attempting to
send directly to the internet; find the owner; and request a configuration
change.   By far the biggest volume is virus generated messages, so I have
to separate the virus messages from the otherwise legitimate mail.
The headers and sendmail logs list the node name and IP address of the
firewall rather than the originating computer.   The firewall logs only
have a timestamp and the source IP address.   They do not specify which of
the mailhubs the message was bounced to.  We have separate firewalls in the
US, UK, Europe, and Asia.  The addresses of the firewalls are all in the
same range which does not occur elsewhere in the company.

What I want to do is to capture these messages to get more information on
their source.  Mi idea is to use this command.   I need to know where to
put it within mimedefang-filter.

if ($ip =~ /^123.234/) {resend_message('firewall.bounce at comp.any');}

I assume I will also need a line like
my($sender, $ip, $name, $helo) = @_;
which I also need to know where to put.


Thanks,
Charles