info about spam messages
Tom Allison
tallison at tacocat.net
Mon Jun 14 13:39:45 CEST 2004
Chris Wilkes wrote:
> On Fri, Jun 11, 2004 at 12:44:06PM -0400, David Relson wrote:
>
>>On Fri, 11 Jun 2004 12:11:17 -0400
>>Tom Anderson wrote:
>>
>>>Well, that depends on whether you can correctly identify the IP
>>>address in these lines:
>>>
>>>Received: from 1.2.3.4 (IDENT:4.3.2.1 at 8.7.6.5.s.com[5.6.7.8])
>>>Received: from 1.2.3.4 (<8.7.6.5.s.com> [5.6.7.8])
>
> ...
>
>>Recognizing "Received:.*[5.6.7.8]" isn't too hard. I know that's how
>>postfix formats its Received: line. Do other MTAs use the same format?
>>If not, what format is used?
>
>
> http://cr.yp.to/immhf/envelope.html
>
> "In theory, the value of a Received field is tokenizable"
> "In practice, SMTP servers put all sorts of badly formatted information
> into Received lines."
>
> Like Tom said you can really only trust what your servers put in there.
> Also keep in mind that a corporation might have a couple email servers
> to handle incoming mail so you just can't go by the first Received line
> as that could be one of your own servers, which doesn't give you much to
> go on.
>
> Now we're lucky as we're only going to use what our own servers put in
> there and that (should) be well formatted, or at least remain consistant
> -- famous last words of course.
>
> It might be easier to have people's MTAs put in a header line like
> "X-Original-IP: 192.168.0.10" and go off of that. I think yahoo's email
> uses something similiar to that to label their outgoing email though.
> Does bogofilter ignore X- headers when tokenizing?
>
You are right in being able to trust only what your server puts in there.
For me, it's this:
Received: from talvi.dovecot.org (dovecot.org [80.64.10.60])
by janus.tacocat.net (Postfix) with ESMTP id BB6AF21311C
for <mynamehere at tacocat.net>; Mon, 7 Jun 2004 08:36:33 -0400 (EDT)
But even if these are munged by different mail servers, I suspect they
will be consistently munged.
More information about the Bogofilter
mailing list