Hi,
I've noticed one bad thing with the IP which mimedefang report
as infected.
If the mail goes through several relay, it report last relay as being
infected, and obsviously, it's not this IP which is infected but the
sender.
For example :
Received: from smtp11.aaa.com.sg (smtp11.aaa.com.sg [xxx.21.6.21])
by yyy.xxx.net (MIMEDefang) with ESMTP id i4C7xIA1022689
for <[EMAIL PROTECTED]>; Wed, 12 May 2004 09:59:22 +0200 (CEST)
Received: from ovscan11.singnet.com.sg (ovscan11.singnet.com.sg [xxx.21.101.101])
by smtp11.singnet.com.sg (8.12.11/8.12.11)
with ESMTP id i4C7nTbJ028288; Wed, 12 May 2004 15:49:39 +0800
Received: from smtp23.aaa.com.sg (smtp23.singnet.com.sg [xxx.21.101.203])
by ovscan11.aaa.com.sg (8.12.11/8.12.11)
with ESMTP id i4C7nL9p002183; Wed, 12 May 2004 15:49:21 +0800
Received: from xtelap (qtns02923.aaa.com.sg [xxx.21.167.33])
by smtp23.aaa.com.sg (8.12.11/8.12.11)
with SMTP id i4C7mjJO031966; Wed, 12 May 2004 15:48:46 +0800
Date: Wed, 12 May 2004 15:48:45 +0800
Message-Id: <[EMAIL PROTECTED]>
FROM: "MS Program Security Center" <[EMAIL PROTECTED]>
TO: "Customer" <[EMAIL PROTECTED]>
SUBJECT: Internet Patch
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ukniuljvzoxhxvpp"
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Virus-Scanned-By: yyy.xxx.net, using SOPHIE & CLAMD
X-Virus-Flag: Yes
X-Virus-Info: xxx.21.6.21 is infected by Worm.Gibe.F
X-Virus-Debg: code=1 category=virus action=quarantine
X-Scanned-By: MIMEDefang 2.42
Mimedefang report in syslog :
May 12 09:59:22 yyy mimedefang.pl[30173]:
MDLOG,i4C7xIA1022689,virus,Worm.Gibe.F,xxx.21.6.21,<[EMAIL PROTECTED]>,<[EMAIL
PROTECTED]>,Internet Patch
So it thinks xxx.21.6.21 is the infected computer but in reality it's xxx.21.167.33,
just because the mail has gone thru several relays.
It's even more problematic when you use fecthmail to pop mail to sendmail :
Received: from localhost (localhost [127.0.0.1])
by localhost (MIMEDefang) with ESMTP id i4BIBQuj003232
for <[EMAIL PROTECTED]>; Tue, 11 May 2004 20:11:26 +0200 (CEST)
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from bbb.bbb.net [xxx.4.16.71] by localhost with POP3 (fetchmail-6.2.5)
for [EMAIL PROTECTED] (single-drop); Tue, 11 May 2004 20:11:26 +0200 (CEST)
Received: from eee.com (Appp-102-1-1-165.wxxx-253.abo.ccc.fr [xxx.253.242.165])
by bbb.bbb.net (Postfix) with SMTP id 3BCAB18259C
for <[EMAIL PROTECTED]>; Tue, 11 May 2004 20:06:35 +0200 (CEST)
Date: Tue, 11 May 2004 20:06:41 +0100
To: "userc" <[EMAIL PROTECTED]>
From: "userd" <[EMAIL PROTECTED]>
Subject: Fax Message Received
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--------vjsehghxjteodipdwoey"
X-Virus-Scanned-By: yyy.xxx.net, using SOPHIE & CLAMD
X-Virus-Flag: Yes
X-Virus-Info: 127.0.0.1 is infected by W32/Bagle-AA
X-Virus-Debg: code=1 category=virus action=quarantine
X-Scanned-By: MIMEDefang 2.42
Mimedefang thinks it's 127.0.0.1 which is infected... but in fact it's
xxx.253.242.165...
Maybe mimedefang should take care of these Received lines ?
Any pros and cons ??
Thanks
Jerome
PS : emails and IP obfuscated to preserve privacy.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
