On Wed, 27 May 2009 23:57:52 +0200, "B. Johannessen" <[email protected]> wrote: > Mark Little wrote: >> Recently I have seen an influx of SPAM including a fake Received: from >> header (not something new), but what is strange is the IP included is the >> hosts actual IP address and not a fake one. >> (Examples below) >> >> So I have been trying to work out how to add an ACL to be able to scan >> for >> this - because as far as I am concerned I should never be receiving an >> email from an IP address that includes "Received: from [<same IP>]". > > Don't! There are legitimate reasons for such headers. >
Hey, I was playing around with it and have found so far only two cases (out of 200+ caught) that were legitimate emails, so I believe I am on to something but I believe you are right and I want to get this down further. I am now playing with detecting Received: from [<sender IP>] but excluding if [<sender IP>].+[<sender IP>] or [<sender IP>].+[127.0.0.1] are present. All the spammer examples I have seen only include the one IP, so I may reduce this to just excluding if there is a second [<ip.address>] on the line. Thoughts? Cheers, Mark -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
