[Mimedefang] Faked Received + Old Lists
Damrose, Mark
mdamrose at elgin.edu
Tue Nov 28 14:21:49 EST 2006
-----Original Message-----
> From: Damrose, Mark
> After a couple of false starts with false positives, here's
> the rules that seem to be working
>
> header __ECC_FORGED_SMTPGATE3_RCVD1 Received =~
> /(?<!via\ssmtpd\s\(for\s)smtpgate3\.elgin\.edu\s(?!\(MIMEDefan
> g\)\swith\
> sESMTP)/
> header __ECC_FORGED_SMTPGATE3_RCVD2 Received =~
> /by\ssmtpgate3.elgin.edu\swith\sesmtp/
> meta ECC_FORGED_SMTPGATE3_RCVD __ECC_FORGED_SMTPGATE3_RCVD1 ||
> __ECC_FORGED_SMTPGATE3_RCVD2
Doh! One more false positive to add...
Mail from an internal mail server that passes outbound to a
list and comes back. The real sendmail Received header is not
exactly the same as the one MD adds.
I added a rule that matched the internal host (sorry, not posting
the details here) and changed the meta rule to:
meta ECC_FORGED_SMTPGATE3_RCVD ( __ECC_FORGED_SMTPGATE3_RCVD1 ||
__ECC_FORGED_SMTPGATE3_RCVD2 ) && ! __ECC_VALID_EXCHANGE
More information about the MIMEDefang
mailing list