Lanny Jason Godsey wrote: > And what good does finding the MX records for a domain have to do with > knowing if received headers have traversed a valid sender IP address?
As stated, whitelisting or bypassing some blacklisting checks. I do not consider using this as a blacklisting technique as it would have too many high false positives, but false negative rate could be low. I failed to mention that this type of check could award negative spam points via spam assassin or whatever point based system is used. (actually forgot about this point until after I sent the last email. > Next, this is easy to defeat, as I can simply toss in a legit received > line from a real paypal mail. That is unless you mean the current host > and not previous hops? Absolutely not, I wouldn't trust ANYTHING in the received headers except what my system added and at that point I have direct access to that via the ACL rules before DATA. > --- Wakko Warner <[EMAIL PROTECTED]> wrote: > > > Marc Perkel wrote: > > > Richard Clayton wrote: > > > The sender is [EMAIL PROTECTED] > > > But the sending server in the received lines is > > accounting.paypal.com > > > > > > So - I want to grab just the "paypal.com" part can see if I can > > find > > > that in the received lines. It's part of my anti-phishing code. The > > idea > > > being that email from paypal.com will come from paypay servers > > somewhere > > > in received. > > > > What's so hard about this??? > > > > mx custserv.paypal.com. > > > custserv.paypal.com does not exist, try again > > mx accounting.paypal.com. > > > accounting.paypal.com does not exist, try again > > mx paypal.com. > > > paypal.com MX 10 smtp1.sc5.paypal.com > > > paypal.com MX 10 smtp2.nix.paypal.com > > > paypal.com MX 10 smtp1.nix.paypal.com > > mx com. > > > com MX record currently not present > > > > Just strip the subdomain off until you get an MX. How difficult > > could that > > be??? You can do this with embedded perl and it would be quite easy > > to do. > > > > Or you could compare all MX's > > > > If you're wondering about say demon.co.uk: > > mx demon.co.uk. > > > demon.co.uk MX 5 lon1-hub-internal.mail.demon.net > > > demon.co.uk MX 5 > > anchor-hub-internal.mail.demon.net > > mx co.uk. > > > co.uk MX record currently not present > > mx uk. > > > uk MX record currently not present > > > > I use a trailing . to force it not to look the domain up by using my > > local > > domain in /etc/resolv.conf > > > > -- > > Lab tests show that use of micro$oft causes cancer in lab animals > > Got Gas??? > > > > -- > > ## List details at http://www.exim.org/mailman/listinfo/exim-users > > ## Exim details at http://www.exim.org/ > > ## Please use the Wiki with this list - http://www.exim.org/eximwiki/ > > > -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas??? -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
