[Mimedefang] Faked Received + Old Lists
Damrose, Mark
mdamrose at elgin.edu
Wed Nov 29 15:53:14 EST 2006
> -----Original Message-----
> From: Joseph Brennan
> The lower Received header is faked. columbia.edu resolves to
> external-smtp-multi-vif.cc.columbia.edu, but that's a virtual
> interface, not a host.
> > Received: from [212.251.108.145] (port=40748
> > helo=ppp25-145.adsl.forthnet.gr)
> > by external-smtp-multi-vif.cc.columbia.edu with esmtp
> > id 515070-515070-81 for system at cu20b.columbia.edu;
> > Tue, 28 Nov 2006 10:51:44 +0200 (EET)
Here's a more generic test for the same header. Not all of
the forged headers attempt look like they relayed through
you. About 1 in 20 are just random.
header __ECC_VALID_EXIM Received =~
/with\s(?i:[ea]?smtpa?|local)\s\(Exim(?:\s\d\.\d\d)?\)/
header __ECC_PORT_HELO Received =~ /\(port=\d{3,5}\shelo=[\d\w\.-]+\)/
header __ECC_BAD_EET Received =~ /(?<!\+0[23]00\s)\(EET\)$/
meta ECC_FORGED_EXIM ( __ECC_PORT_HELO && ! __ECC_VALID_EXIM ) ||
__ECC_BAD_EET
There are a couple of variations on these. The (port= helo=)
appears to be an Exim forgery attempt. This will look for any
Received header that has port= helo= and does not have a
correct-looking Exim signature.
It will also trigger on the EET time zone with an incorrect
TZ offset (+0200 during daylight savings, +0300 otherwise).
The header above happens to be the correct offset, but most
of them aren't.
More information about the MIMEDefang
mailing list