On 04/20/2015 09:03 PM, Reindl Harald wrote:
well, received headers in the middle of a message are not that good for classification at all
sez the expert..look at 20_dnsbl_tests.cf and you'll see that not all lookups are lastexternal
or put the internet cafes on 41.203.69.0/24 in a local BL and see it catch 419's injection points.
obviously you won't want to run deep header lookups against PBL or XBL but injection points on VPNs, etc can only be detected through deep header parsing.