-----Original Message----- From: Dan Bullock [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: Re: Custom Rule Help
James Nelson wrote: >I wonder if it might not be more effective to check the received from header >for paypal.com instead of the message-id. My thought there is, although >this rule holds true for paypal, it does not for ebay. Where as matching >the domain in both the from and received from fields you should always have >the valid smtp address for the domain. > >Basically, SA's version of emailler ID. Which can be incorporated into any >domain. > >Would be nice if you could make variables to discover the from domain and >pass that to a check to received from line, would make one rule universal >for all domains. Then you could assign a couple of pts for domain spoofing. > >james > > And the message-id can be faked, correct? I guess the only sure way is to perform a reverse lookup on the IP in the header and look at that domain name. ?? Dan That's Exactly what I am saying. By looking at the received from line instead of the message id, you already get the inaddr.arpa address, so check for the From domain there and you have your self an domain spoofer check. james
