On Wed, 27 May 2009, B. Johannessen wrote: | Mark Little wrote: | > Recently I have seen an influx of SPAM including a fake Received: from | > header (not something new), but what is strange is the IP included is the | > hosts actual IP address and not a fake one. | > (Examples below) | > | > So I have been trying to work out how to add an ACL to be able to scan for | > this - because as far as I am concerned I should never be receiving an | > email from an IP address that includes "Received: from [<same IP>]". | | Don't! There are legitimate reasons for such headers.
We've had a signature like this running for a year or two. Specifically, if a mail arrives with an existing Received: header claiming something already received it from the IP that connected to us ($sender_host_address). There's a few places whitelisted for doing this legitemately. Originally this caught quite a lot of spam, but looking now, the pattern isn't hugely common. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
