Hey all, Recently I have seen an influx of SPAM including a fake Received: from header (not something new), but what is strange is the IP included is the hosts actual IP address and not a fake one. (Examples below)
So I have been trying to work out how to add an ACL to be able to scan for this - because as far as I am concerned I should never be receiving an email from an IP address that includes "Received: from [<same IP>]". If someone could point me in the right direction of even let me know if this is possible with the DATA ACL, that would be most appeciated. Examples: (My server is mailgate.freeparking.com) Received: from [82.133.13.138] by mailgate.freeparking.com with esmtp (Exim 4.69 #1 (Debian)) id 1M8v2x-0004kL-3z for <[email protected]>; Tue, 26 May 2009 07:42:25 -0400 Received: from [82.133.13.138] by smtp1.agent-mail.net; Tue, 26 May 2009 11:42:17 +0000 From: "Glenna Ford" <[email protected]> To: <[email protected]> Received: from [92.26.160.82] by mailgate.freeparking.com with esmtp (Exim 4.69 #1 (Debian)) id 1M8eAE-00060S-4S for <[email protected]>; Mon, 25 May 2009 13:40:44 -0400 Received: from [92.26.160.82] by smtpeu2.quark.ch; Mon, 25 May 2009 17:40:40 +0000 From: "Judson Lester" <[email protected]> To: <[email protected]> Received: from [89.35.129.85] by mailgate.freeparking.com with esmtp (Exim 4.69 #1 (Debian)) id 1M8qpk-0001aX-J6 for <[email protected]>; Tue, 26 May 2009 03:12:26 -0400 Received: from [89.35.129.85] by mx1.business.mindspring.com; Tue, 26 May 2009 09:12:23 +0200 From: "Faye Jensen" <[email protected]> To: <[email protected]> Received: from [207.5.140.190] (helo=tcook.flotec.com) by mailgate.freeparking.com with esmtp (Exim 4.69 #1 (Debian)) id 1M8dLA-0000Tj-Ey for <[email protected]>; Mon, 25 May 2009 12:47:58 -0400 Received: from [207.5.140.190] by mx2.hotmail.com; Mon, 25 May 2009 11:47:51 -0500 From: "Sondra Aldridge" <[email protected]> To: <[email protected]> Cheers, Mark -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
