Mark Little wrote:
> Recently I have seen an influx of SPAM including a fake Received: from
> header (not something new), but what is strange is the IP included is the
> hosts actual IP address and not a fake one.
> (Examples below)
>
> So I have been trying to work out how to add an ACL to be able to scan for
> this - because as far as I am concerned I should never be receiving an
> email from an IP address that includes "Received: from [<same IP>]".
>
> If someone could point me in the right direction of even let me know if
> this is possible with the DATA ACL, that would be most appeciated.
>
> Examples:
>
> (My server is mailgate.freeparking.com)
>
> Received: from [82.133.13.138]
> by mailgate.freeparking.com with esmtp (Exim 4.69 #1 (Debian))
> id 1M8v2x-0004kL-3z
> for <[email protected]>; Tue, 26 May 2009 07:42:25 -0400
> Received: from [82.133.13.138] by smtp1.agent-mail.net; Tue, 26 May 2009
> 11:42:17 +0000
> From: "Glenna Ford" <[email protected]>
> To: <[email protected]>
Perhaps a condition like this?
condition = ${if eq{${if match{$h_Received:}{\Nfrom
\[([\d\.]+)\]\N}{$1}{}}}{$sender_host_address}}
Do plenty of testing first though... Especially tests involving local
mail. You might want to exclude certain IPs.
--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
