[Mimedefang] Faked Received + Old Lists
Damrose, Mark
mdamrose at elgin.edu
Tue Nov 28 12:54:50 EST 2006
> -----Original Message-----
> From: Joseph Brennan
> The lower Received header is faked. columbia.edu resolves to
> external-smtp-multi-vif.cc.columbia.edu, but that's a virtual
> interface, not a host.
> > Received: from [212.251.108.145] (port=40748
> > helo=ppp25-145.adsl.forthnet.gr)
> > by external-smtp-multi-vif.cc.columbia.edu with esmtp
> > id 515070-515070-81 for system at cu20b.columbia.edu;
> > Tue, 28 Nov 2006 10:51:44 +0200 (EET)
I've been seeing these as well.
After a couple of false starts with false positives, here's the
rules that seem to be working
header __ECC_FORGED_SMTPGATE3_RCVD1 Received =~
/(?<!via\ssmtpd\s\(for\s)smtpgate3\.elgin\.edu\s(?!\(MIMEDefang\)\swith\
sESMTP)/
header __ECC_FORGED_SMTPGATE3_RCVD2 Received =~
/by\ssmtpgate3.elgin.edu\swith\sesmtp/
meta ECC_FORGED_SMTPGATE3_RCVD __ECC_FORGED_SMTPGATE3_RCVD1 ||
__ECC_FORGED_SMTPGATE3_RCVD2
smtpgate3.elgin.edu is my MX host. According to what you posted, they
must
be using the rdns to generate the header. So you may need multiple
rules
if you have different rdns on multiple interfaces.
The RCVD2 rule catches this exact variation.
The RCVD1 rule catches any mention of my host name in a received header
except if proceeded by "via smtpd (for " as generated by MS smtpd or
followed by "(MIMEDefang) with ESMTP" as generated by MD.
More information about the MIMEDefang
mailing list