Re: [SAtalk] Any ideas????

David B Funk Thu, 18 Sep 2003 00:01:30 -0700

On Thu, 18 Sep 2003, Jeff Funk wrote:

> The header below is from an e-mail that seems to get through sa repeatedly on our 
> Communigate server.  There's no evidence that it's being scanned by sa at all.  Is 
> there something I'm missing here????
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from bandoog.com ([209.83.8.50]) by mail.farin.com with Microsoft 
> SMTPSVC(5.0.2195.5329);
>        Thu, 18 Sep 2003 00:40:43 -0500
> Received: from [218.75.22.22] (HELO 209.83.8.50)
>   by bandoog.com (CommuniGate Pro SMTP 4.1.3)
>   with SMTP id 1325526 for [EMAIL PROTECTED]; Thu, 18 Sep 2003 00:41:08 -0500
> Received: from  [66.254.7.10] by 209.83.8.50 with ESMTP id <247056-92322>; Thu, 18 
> Sep 2003 17:31:45 -0200
> Message-ID: <[EMAIL PROTECTED]>
> From: "Carlos Wilkes" <[EMAIL PROTECTED]>
> Reply-To: "Carlos Wilkes" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Get_Diazepam_-_No_Prescription_Needed_-_chuck
> Date: Thu, 18 Sep 03 17:31:45 GMT
> X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> MIME-Version: 1.0
> Content-Type: multipart/related;
>       type="multipart/alternative";
>       boundary="0.88.2C._5F0"
> X-Priority: 1
> X-MSMail-Priority: High
> Return-Path: [EMAIL PROTECTED]
> X-OriginalArrivalTime: 18 Sep 2003 05:40:43.0603 (UTC) FILETIME=[66E88230:01C37DA7]
>
> --0.88.2C._5F0
> Content-Type: multipart/alternative;
>       boundary="0.88.2C._DD0"
>
[snip..]


That message had a number of image attachments. What was its total size?
Usual SA instllations have a max message size above which they won't
process. (IE if the message is large then it is bypassed).

You could add a MIME unpacker (such as MIMEdefang or mailscanner) to
your message processing system to seperate the message body from the
image attachments and then run just the message body thru SA.

I noticed that the message came from the IP address [218.75.22.22],
that's an open proxy as reported in a number of DSBLs. (10 of my
list hit it). Just add a few DSBLs as blockers to the front-end of
your CG server and not be bothered by that trash at all. ;)

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Any ideas????

Reply via email to