Roberto,

I have been getting hammered by a hacker who seems to be sending an email apparently from an insurance company which is 800kb in size. So far we have got over 4000 of these !!!!

It appears that this user is connecting to BT (here in the UK) and using their server to relay his email. Now, BT's server isn't blacklisted in any of the usual lists, but the IP of the hackers machine is !!!

Now, as I understand it, the maps checker will only check on the IP that connected to SF. But what if that IP is ok, but the IP of the origional sender is listed.....but they used a relay that was good (at the moment).

Can you extend the maps checker to check not just the IP that connected to SF, but also include all of the IP's in the chain right back to the origional senders server??

Below is a section of the offending headers.

Received: from 194.73.73.210 by mail.protected-mail.co.uk (LogSat Software SMTP Server); Wed, 6 Sep 2006 11:16:14 +0100
Received: from pfps.net (host217-43-193-123.range217-43.btcentralplus.com [217.43.193.123]) by c2bthomr02.btconnect.com (MOS 3.7.4b-GA) with ESMTP id FCO50385; Wed, 6 Sep 2006 10:55:19 +0100 (BST)
Received: from mail pickup service by pfps.net with Microsoft SMTPSVC; Wed, 6 Sep 2006 11:06:24 +0100

As you can see, we received the email from 194.73.73.210 (one of BT's servers) that is not blacklisted, however, this was an relayed email from 217.43.193.123 (the hacker's dial-up address) which is listed in dnsbl.sorbs.net, yet SF let the email through.