Here is a message going through a Postini server. ---EXAMPLE 1--------------------------------------------------------------------------- -------------- Received: from xxxx.xxxxx.local ([127.0.0.1]) by xxxxxx.xom with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Sep 2009 12:18:03 -0400 Return-Path: <dbar...@declude.com> Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xxxxxx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 Reply-To: <dbar...@declude.com> From: "David Barker" <dbar...@declude.com> To: "xxx xxxx'" <x...@xxxxx.com> ---------------------------------------------------------------------------- -------------------------------
This line is good. Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xxxxxx.net with SMTP; However this line is a problem. Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line. The problem occurs when there are two IP addresses on the same line. The first IP is considered as BOGUS and Declude picks up the second IP address on this line. For more information please review RFC 5321: [4.4] David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, November 04, 2009 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi David: Im interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isnt the MX of the recipient domain pointed to Postinis server? So Postini would be the first received header to be inserted before relaying the message to the clients internal mail server? It might help if you actually posted what a header looked like before Postini mangled it and what it looked like after Postini mangled it? I guess, what Im not grasping is, who inserted the original header that Postini has tampered with if Postini is the domains MX? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 2:54 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Scott, Postini is violating RFC RFC 5321: [4.4] " An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. " Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIX ON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIX OFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.