On 10/24/2011 3:36 PM, Colbeck, Andrew wrote:
That's a very interesting question, Pete. Are you saying that the <source> section is used to override the normal hop 0 / ordinal 0 IP address? If so, I didn't realize it, I thought this was an an additional IP address for GBU to examine.
Yes. The source header directive essentially says, "If you see X, then expect the source IP to be in header Y and don't look anywhere else"
Under normal circumstances SNF will attempt to identify the source IP as the first Received [IP] that it does not ignore.
I think the answer is "yes", I don't want to inspect the ISP's outbound gateway, and I do want to inspect the "client IP" that originated the email.
Looking at these headers, the X-Telus-Outbound-IP: seems to match the deepest Received header (the original source) so I think this will do what you want. I'm a little thrown by the "Outbound-IP:" bit - seems a strange name for the originator, but in this case it seems to line up with the correct header.
_M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>
