IP address of spam/FW-1

Avi Levin avi at CAXTONRVH.COM
Tue May 20 13:58:40 IST 2003


Thanks, Jason.  I had turned off RBL checks in SA, figuring that MailScanner
would do it, and have many more options/lists.  But I'll see how it goes
with SA.  Have you found SA to allow you to decide which RBLs to use (I
haven't looked into it much yet)?
I think the IP address is harder to spoof, since the first hop for a spammer
is frequently legit, and needs to see a valid source IP.  But I suppose
someone could hack their mailer.  Still, although much of the spam I get has
a spoofed sender domain name, the IP address seems to always be accurate,
and a way to track the source.

Thanks again for the tip.
---Avi---

> > -----Original Message-----
> > From: Desai, Jason [mailto:jase at sensis.com]
> > Sent: Thursday, May 15, 2003 1:03 PM
> > To: MAILSCANNER at jiscmail.ac.uk
> > Subject: Re: IP address of spam
> >
> >
> > This is one reason to let SpamAssassin do the RBL checks instead of
> > MailScanner.  I believe that SpamAssassin will check all of
> > the Received
> > header.
> >
> > Also, I would think that the Received header that immediately
> > precedes the
> > Message-Id and From headers could easily be spoofed by a
> > spammer, so you
> > really can't trust it.
> >
> > Jason
> >
> > > -----Original Message-----
> > > From: Avi Levin [mailto:avi at CAXTONRVH.COM]
> > > Sent: Thursday, May 15, 2003 12:45 PM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: [MAILSCANNER] IP address of spam
> > >
> > >
> > > The IP address identified by Mailscanner (4.14-9) in the log
> > > seems to be the
> > > last host that handed off the message to my SMTP server.  In
> > > other words,
> > > the first "Received:" line in the envelope of each message.
> > >
> > > The problem I'm seeing with this, is that if I use
> > > Checkpoint's FW-1 SMTP
> > > proxy, or any other internal scanners, then MailScanner's
> > reported IP
> > > address is no longer that of the actual sender.
> > >
> > > Shouldn't the sender's IP address be the one that's
> > identified on the
> > > "Received: " header that immediately preceeds the
> > > "Message-ID:" and "From:"
> > > lines?
> > >
> > > And finally, which address is used for RBL and other list checks?
> > >
> > > Please let me know if you've got any insights into this.
> > >
> > > Thanks.
> > > ---Avi---
> > >
> >
>



More information about the MailScanner mailing list