If this header line was faked, it would be inappropriate to run DNSBL's on it.
If it was not faked, the receiving MTA at nifty.com is not RFC conformant. To
me it doesn't look faked; see the header excerpt below. Most likely it's just
a case of a misconfigured MTA.
Now, whether or not SA should parse malformed Received lines is another
question...
Pierre
Received: from localhost ([127.0.0.1])
by vawr.pblnet.local with esmtp (Exim 4.50)
id 1E56bi-00005v-PL
for [EMAIL PROTECTED]; Wed, 17 Aug 2005 03:56:18 +0900
Received: from pop.nifty.com [202.248.238.11]
by localhost with POP3 (fetchmail-6.2.5.2)
for [EMAIL PROTECTED] (single-drop); Wed, 17 Aug 2005 03:56:18 +0900
(JST)
Received: by mbox53.nifty.com id 430236b0494c63;
Wed, 17 Aug 2005 03:55:44 +0900
Received: from makorsha.biz ([218.64.103.25])by mxg509.nifty.com with SMTP id
j7GItZAo029596;
Wed, 17 Aug 2005 03:55:36 +0900
To: "Alfonzo Seifert" <[EMAIL PROTECTED]>
-----Original Message-----
From: Loren Wilton [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 17, 2005 7:44 AM
To: users@spamassassin.apache.org
Subject: Re: problem of extracting IP string from header (bug?)
> unfortunately the space is required, and appears in the output from the
> MTAs that I'm aware of. It appears that the "nifty.com" mailserver is
> producing unusual headers there.
Justin, this sounds very similar to the (I believe bz) report a few days ago
where someone suggested spammers may be doing this deliberately in faked
received headers.
Loren
