> > > Received: from bay22-dav1.bay22.hotmail.com[64.4.16.181]:30781 (EHLO
> > > hotmail.com) by mailgateway.sitc.dk ([195.231.241.98]:25) (F-Secure
> > > Anti-Virus for Internet Mail 6.41.149 Release) with SMTP; Wed, 19 Jan
> > > 2005 19:41:14 -0000
> >
> > F-Secure Anti-Virus for Internet Mail is producing incorrectly-formatted
> > Received: lines.
>
> Erm, Where is that header invalid? As far as I can see it's following all of
> the rules of RFC 2822.
The order and spacing of the items after the from keyword is wrong. The specification for Received: lines is in RFC 2821. A correctly formatted line would be something like
Received: from hotmail.com (bay22-dav1.bay22.hotmail.com [64.4.16.181]:30781) by mailgateway.sitc.dk ([195.231.241.98]:25) (F-Secure Anti-Virus for Internet Mail 6.41.149 Release) with SMTP; Wed, 19 Jan 2005 19:41:14 -0000
I do see the differences between your example and theirs, however, I don't see where theirs deviates from the spec.
The RFC 2821 section 4.4 appears to allow the either the Domain and the Address Literal in the From-domain part. This having:
Received: from bay22-dav1.bay22.hotmail.com[64.4.16.181]:30781
by itself as the from clause is legitimate.
The RFC does prohibit the "("Tcp-Info")" field from being based on anything but the TCP connection, but you are not required to insert it, and immediately following the from clause is a CFWS, allowing a comment of any sort to be inserted before the by clause.
Or am I misreading section 4.4?
Stamp = From-domain By-domain Opt-info ";" FWS date-time
From-domain = "FROM" FWS Extended-Domain CFWS
Extended-Domain = Domain / ( Domain FWS "(" TCP-info ")" ) / ( Address-literal FWS "(" TCP-info ")" )
TCP-info = Address-literal / ( Domain FWS Address-literal ) ; Information derived by server from TCP connection ; not client EHLO.
Or is it that folding in the middle of a comment is not allowed?