I'm not sure that amavisd does at all. Spamassassin does a lot to determine which header matters, and their logic is well documented. The short version = the first Received line (going backwards) which isn't trusted. (but Trust is a big topic you need to read about, or better yet just define explicitly)
On May 2, 2008, at 7:01 AM, [EMAIL PROTECTED] wrote: > I was wondering what amavisd-new does exactly to ensure Received > header sanity. > > For example if I look at my logs I see > " Passed SPAM, [80.92.69.56] [77.87.224.34] " > The first IP is the one delivering to my MX, so it can be trusted. The > second IP is the IP from the first host (i.e. last Received: header) > in the mail. > > Now the headers (the relevant ones) look like: > > .... > X-ClientAddr: 217.95.30.242 > Received: from pD95F1EF2.dip0.t-ipconnect.de (pD95F1EF2.dip0.t- > ipconnect.de [217.95.30.242]) > by hosting1.xxxxx (8.13.1/8.13.1) with SMTP id m417cnVV001458 > for <a... > <http://groups.google.com/groups/unlock?msg=21bb0850fef12f06&_done=/ > group/mailing.unix.amavis-user/browse_thread/thread/ > 67e5563fef019546>@gum.lu>; > Thu, 1 May 2008 09:38:51 +0200 > Received: from 77.87.224.34 (HELO mx1.bund.de) > by gum.lu with esmtp ({nChar[8-12]} {nChar[4-6]}) > id LtyEyr-Gj2Ogl-zk > for a... > <http://groups.google.com/groups/unlock?msg=21bb0850fef12f06&_done=/ > group/mailing.unix.amavis-user/browse_thread/thread/ > 67e5563fef019546>@gum.lu; > Thu, 01 May 2008 09:39:18 +0200 > [end of headers] > > Obviously the IP 77.87.224.34 is a fake since the "from" line in the > upper header has nothing to do with the " by" line in the lower > header. (I would have liked to see [217.95.30.242] as the second log > entry, or simply an empty entry if it was not sure.) > > If I feed such mails to spamcop they recognize the fraud, but I guess > amavis (still?) doesn't. > > Best regards, > Marc > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save > $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http:// > java.sun.com/javaone > _______________________________________________ > AMaViS-user mailing list > AMaViS-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
