[Mimedefang] Faked Received + Old Lists

[Damrose, Mark]

> -----Original Message-----
> From: Joseph Brennan

> The lower Received header is faked.  columbia.edu resolves to 
> external-smtp-multi-vif.cc.columbia.edu, but that's a virtual 
> interface, not a host.  

> > Received: from [212.251.108.145] (port=40748
> > 	helo=ppp25-145.adsl.forthnet.gr)
> > 	by external-smtp-multi-vif.cc.columbia.edu with esmtp
> > 	id 515070-515070-81 for system at cu20b.columbia.edu;
> > 	Tue, 28 Nov 2006 10:51:44 +0200 (EET)

Here's a more generic test for the same header.  Not all of
the forged headers attempt look like they relayed through
you.  About 1 in 20 are just random.

header __ECC_VALID_EXIM Received =~
/with\s(?i:[ea]?smtpa?|local)\s\(Exim(?:\s\d\.\d\d)?\)/
header __ECC_PORT_HELO Received =~ /\(port=\d{3,5}\shelo=[\d\w\.-]+\)/
header __ECC_BAD_EET Received =~ /(?<!\+0[23]00\s)\(EET\)$/
meta ECC_FORGED_EXIM ( __ECC_PORT_HELO && ! __ECC_VALID_EXIM ) ||
__ECC_BAD_EET

There are a couple of variations on these.  The (port= helo=) 
appears to be an Exim forgery attempt.  This will look for any
Received header that has port= helo= and does not have a 
correct-looking Exim signature.

It will also trigger on the EET time zone with an incorrect 
TZ offset (+0200 during daylight savings, +0300 otherwise).
The header above happens to be the correct offset, but most
of them aren't.