However, I'm having a problem with Declude triggering on reporting emails that are generated directly ON the gateway itself:
That's because the gateway is running an MTA that adds very poor Received: headers.
- Declude parses IP Address 0.0.0.0 - Declude parses HELO string of "userid"
Here is the headers that Postfix generates for email that originates from that machine:
>> Received: from mail.dollardays.com [67.132.45.18] by >> mail.webhost.hm-software.com with ESMTP >> (SMTPD32-8.14) id A4F0800114; Sat, 08 Jan 2005 04:16:32 -0500
That one is fine. Since you are IPBYPASSing 67.132.45.18, Declude JunkMail skips over that line.
>> Received: by mail.dollardays.com (Postfix) >> id BD39835A9D2; Sat, 8 Jan 2005 04:16:24 -0500 (EST)
This one is a very poor Received: header. It contains almost no useful information (since it is your server, you already know its name, and the time *could* be useful, but only if the server uses NTP).
>> Received: by mail.dollardays.com (Postfix, from userid 0) >> id A8FC335A9CE; Sat, 8 Jan 2005 04:16:24 -0500 (EST)
This, too, is a very poor Received: header. It, too, contains almost no useful information.
As you can see, it
a) has no FROM field in the received header -> that's what's causing the "0.0.0.0" being reported as the IP address
Correct.
b) it picking up "userid" form inside an SMTP header comment - the string is included inside paranthesis, thus should NOT be interpreted by Declude.
Correct.
However, given how many "poor" (one step above "very poor") mailservers there are out there, we have to check inside SMTP comments. There are mailservers out there that include the IP (and probably 'from') in SMTP comments.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---- This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
