If this header line was faked, it would be inappropriate to run DNSBL's on it.
If it was not faked, the receiving MTA at nifty.com is not RFC conformant. To me it doesn't look faked; see the header excerpt below. Most likely it's just a case of a misconfigured MTA. Now, whether or not SA should parse malformed Received lines is another question... Pierre Received: from localhost ([127.0.0.1]) by vawr.pblnet.local with esmtp (Exim 4.50) id 1E56bi-00005v-PL for [EMAIL PROTECTED]; Wed, 17 Aug 2005 03:56:18 +0900 Received: from pop.nifty.com [202.248.238.11] by localhost with POP3 (fetchmail-6.2.5.2) for [EMAIL PROTECTED] (single-drop); Wed, 17 Aug 2005 03:56:18 +0900 (JST) Received: by mbox53.nifty.com id 430236b0494c63; Wed, 17 Aug 2005 03:55:44 +0900 Received: from makorsha.biz ([218.64.103.25])by mxg509.nifty.com with SMTP id j7GItZAo029596; Wed, 17 Aug 2005 03:55:36 +0900 To: "Alfonzo Seifert" <[EMAIL PROTECTED]> -----Original Message----- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 17, 2005 7:44 AM To: users@spamassassin.apache.org Subject: Re: problem of extracting IP string from header (bug?) > unfortunately the space is required, and appears in the output from the > MTAs that I'm aware of. It appears that the "nifty.com" mailserver is > producing unusual headers there. Justin, this sounds very similar to the (I believe bz) report a few days ago where someone suggested spammers may be doing this deliberately in faked received headers. Loren