Hallo!
Equally applicable to viruses and spam:
I am seeing bogus received headers like the following. We are 'hwcn.org',
of course, but the inside the parentheses domain is not hwcn.org related.
I believe this means they have tried to 'HELO' as hwcn.org, but RDNS found
their real domain name?
Received: from hwcn.org (h24-81-114-183.vc.shawcable.net [24.81.114.183])
by host.hwcn.org (Postfix) with ESMTP id CCACE48233
for <[EMAIL PROTECTED]>; Thu, 25 Mar 2004 04:14:58 -0500 (EST)
Would a test like the following work okay?
header FAKHELO Received =~ /hwcn.org \(.*[(?!199\.212\.94\.[0-9]+).*]\)/i
(where 199.212.94.? is our class C for the negative look-ahead)
Or would I get false positives on this from badly configured mail
clients? I can see not doing it the other way around. But particularly
with the latest batch of viruses, this is a combination I wouldn't mind
'zapping'.....
- Charles
