René Berber wrote:
Jo Rhett wrote:
René Berber wrote:
The change I made works on a test from someone that was on vacation and sending
a message (to me) using his ISP account, the header includes a lot of extra text
with the usual dynamic IP stuff and "may be forged" and there was no way it
would be a match by the original line. With my change, there is a match.
Can you post the line with the hostnames obscured? I'd like to see it.
It's the same one I posted before:
Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx
[189.149.70.163] (may be forged))
(authenticated bits=0)
by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032
for <[EMAIL PROTECTED]>; Sun, 3 Dec 2006 10:02:16 -0600 (CST)
The original test is looking for a pair of closing parenthesis ")]" or "])"
which is not there (not together, but a fixed IP probably has those), or
something followed by colon and there is no colon at all (the test is done
starting with "from").
Do you know why the SMTP authenticating server was forging the HELO
name? Normal mail clients will give their IP address, right? And the
"may be forged" only appears if they gave a full name and resolution
succeeded *and* none of the addresses returned matched the helo name.
In short, this may have been a deliberate choice to prevent a match on
hosts with forged helo names. It would make sense.
--
Jo Rhett
Network/Software Engineer
Net Consonance
