Interesting. I wouldn't have expected SA to do that. It makes me wonder
if that's really a good thing. The last (most recent) Received line is
usually the only one you can trust (unless you have a anti-virus or pure
email gateway ahead of your primary MTA). Beyond that they are to be
taken with a 50lbs block of salt. Going back into the Received lines past
the ones you know you can trust makes me leary. I don't know that's it a
good thing. I'm gonna have to think on that a bit. The only real way I
can see that it could hurt you is if the forged Received line matches a
negative scoring rule like the bondedsender rule. Other than that I guess
all it could really do is make you SA box work at little harder by doing
more DNS lookups. If your DNS system is having load issues, this would be
a good thing to set to 1. Other than that, I really can't think of any
other way it could hurt you. Still, I might be more fond of only looking
up the last Received line unless you know that your MTA is 2-3 levels deep
in your own mail system.
Justin
On Thu, 17 Oct 2002, Matt Kettler wrote:
> SpamAssassin certainly does check multiple received-from headers for
> DNSBLs, in fact, it's configurable. I'm not sure if this setting applies to
> bondedsender checks or not. In any event there is likely a limit on the
> number of reverse headers that are checked for bonded sender and that alone
> will make it by far more difficult to fake a bondedsender, which is the
> real point.
>
> from the Mail::SpamAssassin::Conf manfile:
>
> num_check_received { integer } (default: 2)
> How many received lines from and including the original mail
> relay do we check in RBLs (you'd want at least 1 or 2). Note
> that for checking against dialup lists, you can call check_rbl
> with a special set name of "set-firsthop" and this rule will
> only be matched against the first hop if there is more than one
> hop, so that you can set a negative score to not penalize people
> who properly relayed through their ISP. See dialup_codes for
> more details and an example
>
> Ideally you'd want bondedsender only checked back to the first
> received-from line added by one of your MTAs and not any others. For DNSBLs
> you might want to search back a bit further to catch blacklisted servers in
> multi-hop relays, etc. It would probably be a pain to have separate "dns
> whitelist" vs "dns blacklist" num_checked_received values, but that might
> be a worthwhile feature for SA to have.
>
>
> At 01:16 PM 10/17/2002 -0500, [EMAIL PROTECTED] wrote:
> >Or a spammers adds a Received line that makes it appears as if the message
> >was relayed through bondedsender.com. Easily done. To the best of my
> >knowledge, I think DNSBl lookups are only done on the IP communicating
> >with your MTA. That's what I've always experienced with the DNSBls I use
> >from Sendmail. SA could very well look back through a couple Received
> >lines though. Can't say for certain. Seems unlikely to me though.
> >
> >Justin
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: viaVerio will pay you up to
> $1,000 for every account that you consolidate with us.
> http://ad.doubleclick.net/clk;4749864;7604308;v?
> http://www.viaverio.com/consolidator/osdn.cfm
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>
-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
