MIMEDefang never tries to tell you wich system is infected. It just logs the address of the relay that connected your sendmail server.
Ok I missed that point.
Before you decide to not trust MIMEDefang's log lines, it would be a good idea for you to find out what they are supposed to contain. Nowhere in trhe docs for MIMEDefang does it say *anything* about MIMEDefang logging the IPs of infected computers.
Again I thought it was that...
And since MIMEDefang doen't analyze Received-headers unless you implement it yourself in your filter, how on earth do you expect MIMEDefang to have even the slightest idea about any relays other than the one the address of wich MIMEDefang gets from sendmail?
It doesn't analyze them, you are right.
Maybe I'm wrong but I thought mimedefang was more than just milter who pass mails to clamav/spamassassin.
I thought we can do some correlation about headers, validating from fields, validating Helo, and other things.
Maybe it does not exist right now, but it's maybe a good idea to try to correlate some information in the HEADERS, if it's possible.
By no mean I'm saying that I can do it, but I suggest it. I don't know if it's possible, I believe it is, I might be wrong.
Jerome _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
