Matt Thoene wrote:
MT> Saturday, June 1, 2002, 9:21:37 PM, Bart Schaefer wrote:
MT> > header FAKE_IP_RCVD Received =~
/\[0|(?:\d{1,3}\.){0,3}(?:2(?:5[6-9]|[6-9]\d)|[3-9]\d\d)[.\d]*\]/
MT> > describe FAKE_IP_RCVD Received via an impossible IP address
MT> Shouldn't there be a score line in
On Saturday, June 1, 2002, at 08:38 PM, Theo Van Dinter wrote:
> On Sat, Jun 01, 2002 at 09:10:24PM -0400, Patrice Fournier wrote:
>> Would any of you have a rule to catch fake IPs in received: header lines?
>> Something to catch received lines like the followings:
>
> I catch the bad IPs in procm
On Sat, 1 Jun 2002, Matt Thoene wrote:
> Shouldn't there be a score line in there somewhere?
It would need a score, but I didn't want to guess at one.
___
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28
Hello Bart,
Saturday, June 1, 2002, 9:21:37 PM, Bart Schaefer wrote:
> header FAKE_IP_RCVD Received =~
>/\[0|(?:\d{1,3}\.){0,3}(?:2(?:5[6-9]|[6-9]\d)|[3-9]\d\d)[.\d]*\]/
> describe FAKE_IP_RCVD Received via an impossible IP address
> test FAKE_IP_RCVD ok[0.1.2.3]
> test FAKE_IP_RCVD
On Sat, 1 Jun 2002, Theo Van Dinter wrote:
> * ^Received:.*\[\/(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9])\..+
>
> This could be turned into a SA rule very easily...
Like this?
header FAKE_IP_RCVD Received =~
/\[0|(?:\d{1,3}\.){0,3}(?:2(?:5[6-9]|[6-9]\d)|[3-9]\d\d)[.\d]*\]/
describe FAKE_IP_RCV
On Sat, Jun 01, 2002 at 09:10:24PM -0400, Patrice Fournier wrote:
> Would any of you have a rule to catch fake IPs in received: header lines?
> Something to catch received lines like the followings:
I catch the bad IPs in procmail if SA didn't already snag it:
# Received lines from IPs that are
Hi,
Would any of you have a rule to catch fake IPs in received: header lines?
Something to catch received lines like the followings:
Received: from mail.ihsjm.net (host.hdbix.net [865.874.994.859]) by
pcok.msfffark_er.nu (8.7.3/6.7.3) with SMTP id CFF89341
for <[EMAIL PROT
