Hi folks,
I was wondering why the following code is commented out of smtp.bro? I
have a patch that looks for "MAIL FROM" and sets those as the
sender in the smtp logs. It adds a couple of functions to mimic the
structure of extract_recipient() etc. The functionality seems to work
well. All of the valid sender addresses seem to get captured, though I
have not done exhaustive testing for invalid addresses.
in policy/smtp.bro
508 # else if ( cmd == "MAIL" && code == 250 )
509 # smtp_command_mail(session, cmd_info);
However, if there is a reason why we shouldn't be doing this, I won't
submit the patch.
Thanks,
Randy
http://www.frenzy.org
"Sed Quis Custodiet Ipsos Custodes?" -Juvenal