info about spam messages

Mon Jun 14 13:39:45 CEST 2004

Chris Wilkes wrote:
> On Fri, Jun 11, 2004 at 12:44:06PM -0400, David Relson wrote:
> 
>>On Fri, 11 Jun 2004 12:11:17 -0400
>>Tom Anderson wrote:
>>
>>>Well, that depends on whether you can correctly identify the IP
>>>address in these lines:
>>>
>>>Received: from 1.2.3.4 (IDENT:4.3.2.1 at 8.7.6.5.s.com[5.6.7.8])
>>>Received: from 1.2.3.4 (<8.7.6.5.s.com> [5.6.7.8])
> 
> ...
> 
>>Recognizing "Received:.*[5.6.7.8]" isn't too hard.  I know that's how
>>postfix formats its Received: line.  Do other MTAs use the same format? 
>>If not, what format is used?
> 
> 
> http://cr.yp.to/immhf/envelope.html
> 
> "In theory, the value of a Received field is tokenizable"
> "In practice, SMTP servers put all sorts of badly formatted information
> into Received lines."
> 
> Like Tom said you can really only trust what your servers put in there.
> Also keep in mind that a corporation might have a couple email servers
> to handle incoming mail so you just can't go by the first Received line
> as that could be one of your own servers, which doesn't give you much to
> go on.
> 
> Now we're lucky as we're only going to use what our own servers put in
> there and that (should) be well formatted, or at least remain consistant
> -- famous last words of course.
> 
> It might be easier to have people's MTAs put in a header line like
> "X-Original-IP: 192.168.0.10" and go off of that.  I think yahoo's email
> uses something similiar to that to label their outgoing email though.
> Does bogofilter ignore X- headers when tokenizing?
> 

You are right in being able to trust only what your server puts in there.
For me, it's this:

Received: from talvi.dovecot.org (dovecot.org [80.64.10.60])
         by janus.tacocat.net (Postfix) with ESMTP id BB6AF21311C
         for <mynamehere at tacocat.net>; Mon,  7 Jun 2004 08:36:33 -0400 (EDT)

But even if these are munged by different mail servers, I suspect they 
will be consistently munged.