info about spam messages

[David Relson]

On Fri, 11 Jun 2004 12:11:17 -0400
Tom Anderson wrote:

> From: "David Relson" <relson at osagesoftware.com>
> > I trust only the ip address in the first Received: stanza.  My
> > thought is to have bogofilter cache that value so it can be included
> > (using'%I') in the X-Bogosity line (or the logging message).
> >
> > The From: address is easily forged and less reliable.  However while
> > implementing the '%I' ability, adding '%F' for the From: address is
> > easy.
> 
> Well, that depends on whether you can correctly identify the IP
> address in these lines:
> 
> Received: from 1.2.3.4 (IDENT:4.3.2.1 at 8.7.6.5.s.com[5.6.7.8])
> Received: from 1.2.3.4 (<8.7.6.5.s.com> [5.6.7.8])
> Received: from 1.2.3.4 ([5.6.7.8] ident=4.3.2.1)
> Received: from 1.2.3.4 (proxying for 5.6.7.8) (user 4.3.2.1)
> Received: from 1.2.3.4 (account 4.3.2.1[5.6.7.8] verified)
> Received: from (1.2.3.4) [5.6.7.8]
> Received: from (1.2.3.4 [5.6.7.8])
> Received: from 1.2.3.4 (8.7.6.5.s.com [5.6.7.8])
> Received: from 1.2.3.4 (4.3.2.1 at 8.7.6.5.s.com)
> Received: from 1.2.3.4 (8.7.6.5.s.com)
> Received: (from 4.3.2.1 at 8.7.6.5.s.com)
> Received: (from 4.3.2.1 at 1.2.3.4)
> Received: from ([5.6.7.8])
> Received: from 5.6.7.8
> Received: from 1.2.3.4
> 
> Hint:
> helo = 1.2.3.4
> rnds = 8.7.6.5.s.com
> ip = 5.6.7.8
> luser = 4.3.2.1

Recognizing "Received:.*[5.6.7.8]" isn't too hard.  I know that's how
postfix formats its Received: line.  Do other MTAs use the same format? 
If not, what format is used?

Recognizing an ip address is something a program can do, just like
bogofilter _can_ classify a message as spam.  What's done with the
message after recognition/classification is, as we all know, something
different and fraught with peril.  Those policies are left to the
discretion of the user and the sysadmin :-)