On Fri, 20 Jun 2008, mouss wrote:
John Hardin wrote:
On Thu, 2008-06-19 at 20:54 -0700, John Hardin wrote:
> header XX Received =~ /from \S+\.svcolo\.com (\S+ \[10\.\d\.\d\.\d\])
> by arran\.svcolo\.com (/
> score XX -5
Oops. Need some plusses in there...
/from \S+\.svcolo\.com (\S+ \[10\.\d+\.\d+\.\d+\]) by arran\.svcolo\.com (/
What happens if such header was forged?
Then the message gets -5 points added to it's score.
How likely is a header forged with that particular data going to be sent
in a message to that particular SA host?
If that's a concern then add a rule to verify that the SA host received
the message from the relay, use a meta to AND them, and score the meta
rule at -5.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Efficiency can magnify good, but it magnifies evil just as well.
So, we should not be surprised to find that modern electronic
communication magnifies stupidity as *efficiently* as it magnifies
intelligence. -- Robert A. Matern
-----------------------------------------------------------------------
14 days until the 232nd anniversary of the Declaration of Independence
