> -----Original Message----- > From: Joseph Brennan > The lower Received header is faked. columbia.edu resolves to > external-smtp-multi-vif.cc.columbia.edu, but that's a virtual > interface, not a host.
> > Received: from [212.251.108.145] (port=40748 > > helo=ppp25-145.adsl.forthnet.gr) > > by external-smtp-multi-vif.cc.columbia.edu with esmtp > > id 515070-515070-81 for [EMAIL PROTECTED]; > > Tue, 28 Nov 2006 10:51:44 +0200 (EET) I've been seeing these as well. After a couple of false starts with false positives, here's the rules that seem to be working header __ECC_FORGED_SMTPGATE3_RCVD1 Received =~ /(?<!via\ssmtpd\s\(for\s)smtpgate3\.elgin\.edu\s(?!\(MIMEDefang\)\swith\ sESMTP)/ header __ECC_FORGED_SMTPGATE3_RCVD2 Received =~ /by\ssmtpgate3.elgin.edu\swith\sesmtp/ meta ECC_FORGED_SMTPGATE3_RCVD __ECC_FORGED_SMTPGATE3_RCVD1 || __ECC_FORGED_SMTPGATE3_RCVD2 smtpgate3.elgin.edu is my MX host. According to what you posted, they must be using the rdns to generate the header. So you may need multiple rules if you have different rdns on multiple interfaces. The RCVD2 rule catches this exact variation. The RCVD1 rule catches any mention of my host name in a received header except if proceeded by "via smtpd (for " as generated by MS smtpd or followed by "(MIMEDefang) with ESMTP" as generated by MD. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
