Date: 2005-08-02 09:55:23 -0400
Subject: [DYNDNS] Re: Re: sender question
More information..: http://www.milter.info/#Support
>I read or heard some where recently something interesting about testing
>Received: headers concerning the path a message has claimed to have
>taken, but have since forgotten the details and where I learnt about it.
I know I'd suggested it on this list at one point (or maybe some other sendmail
/ milter related list)... I'd started doing some reading on what would be
involved in writing my own milter, but my workload has changed such that I don't
know when I'll be able to work on it in earnest.
Here's a recap of what I was thinking:
I'd noticed that of the mail coming into my mailservers, I could fairly easily
distinguish an enormous volume of the SPAM from the real messages by looking
only at the Received: headers. ( Specifically the lines that read: "Received
from ... by ..." If it doesn't show both machines involved in the SMTP
transaction, you can ignore it.)
If there was only one of these headers, (received from .... by [MY_MAILSERVER])
then one of three things is ALWAYS true:
1) The message was sent by a SMTP-AUTH authenticated client.
2) The message came from a host specified in /etc/mail/relay-domains
3) The message is SPAM sent by a zombie computer.
Further tests can be performed on messages with multiple Received lines. Here
are a couple examples:
1) Locality: Any time that I receive email where there are two blocks of
Received headers separated by other random headers, the second block is ALWAYS
forged. Is it coincidence that legitimate Received headers are always
contiguous, or is it specified by the RFC? Or, another way to ask the question:
Is it conceivable that a properly-behaving mailserver may insert other headers
before prepending its own Received header?
2) Sanity: Consider the following two hypothetical adjacent headers:
Received: from (mailserver.domain1.com[22.214.171.124]) by (...) ...
Received: from (...) by mailserver.domain2.com ...
And mailserver.domain2.com resolves to 126.96.36.199.
Copyright 2009, 2012 by SnertSoft. All rights reserved.