@lbutlr:
How does amavis know if you removed the spammer headers and added your
own?
Andreas Schulze wrote:
It has to trust the administrator does a good job :-)
Each A-R header include an AuthServID (a hostname generating the A-R
header)
Any A-R header consumer must know these "TrustedAuthServIDs" and trust
these are generated localy.
AuthServID by itself is not good enough, such header field must also
belong to a set of trusted fields. SpamAssassin solves the problem
of determining which header fields can be trusted by settings
trusted_networks / internal_networks / msa_networks.
Mark