However, I'm having a problem with Declude triggering on reporting emails
that are generated directly ON the gateway itself:
That's because the gateway is running an MTA that adds very poor Received:
headers.
- Declude parses IP Address 0.0.0.0
- Declude parses HELO string of userid
Here is the headers that Postfix generates for email that originates from
that machine:
Received: from mail.dollardays.com [67.132.45.18] by
mail.webhost.hm-software.com with ESMTP
(SMTPD32-8.14) id A4F0800114; Sat, 08 Jan 2005 04:16:32 -0500
That one is fine. Since you are IPBYPASSing 67.132.45.18, Declude JunkMail
skips over that line.
Received: by mail.dollardays.com (Postfix)
id BD39835A9D2; Sat, 8 Jan 2005 04:16:24 -0500 (EST)
This one is a very poor Received: header. It contains almost no useful
information (since it is your server, you already know its name, and the
time *could* be useful, but only if the server uses NTP).
Received: by mail.dollardays.com (Postfix, from userid 0)
id A8FC335A9CE; Sat, 8 Jan 2005 04:16:24 -0500 (EST)
This, too, is a very poor Received: header. It, too, contains almost no
useful information.
As you can see, it
a) has no FROM field in the received header - that's what's causing the
0.0.0.0 being reported as the IP address
Correct.
b) it picking up userid form inside an SMTP header comment - the string
is included inside paranthesis, thus should NOT be interpreted by Declude.
Correct.
However, given how many poor (one step above very poor) mailservers
there are out there, we have to check inside SMTP comments. There are
mailservers out there that include the IP (and probably 'from') in SMTP
comments.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
This outgoing message is guaranteed to be authentic by Message Level users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.