Hi Dave, just sent you a zip file - hope it made it past your virus check.
It has a few interesting cases to see if your new code picks up the
CORRECT IP address. Always picking the first or the last IP address is
not at all necessarily reliable.
Received: from unknown (HELO 192.168.10.1)
Andy,
One important thing of note here is that the first 5 examples you gave
are in fact forged headers, and the information contained within them is
fake and not at all useful. While I don't expect Declude to figure out
that these are forged Received headers, one shouldn't worry about how
Hi Matt,
Sorry - but some of these are actually headers inserted by my OWN server. So
they are NOT forged.
Most of them are spam, but some of them were even false positives.
Best Regards,
Andy
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent:
You are right that I messed up on three of these. The following ones
were definitely entirely forged:
Received: from admd.net ([:::187.3.43.120])
(AUTH: LOGIN audito...@vazemaia.com.br)
by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200
id
Hi,
Yes, Matt. I concur with your parsing algorithm!
Dave - please take notice:
So you first throw out all data before the FROM up till the next descriptor
BY/WITH/FOR or end of the header, then you search for square brackets with
an IP inside and nothing else, and take the last value
