jdow wrote: > ===8<--- > Return-Path: <[EMAIL PROTECTED]> > Received: from smtp.earthlink.net [209.86.93.205] > by localhost with POP3 (fetchmail-6.2.5.5) > for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39 > -0800 (PST) > Received: from amazon.com ([80.33.31.58]) > by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id > 1fiNda4KB3Nl34g0 > for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST) > From: LARISA SOSNITSKAYA <[EMAIL PROTECTED]> > To: jdow <[EMAIL PROTECTED]> > Subject: PLEASE RESPOND ASAP > X-Priority: 3 > X-MSMail-Priority: Normal > Reply-To: LARISA SOSNITSKAYA <[EMAIL PROTECTED]> > mime-version: 1.0 > content-type: multipart/mixed; > boundary="qzsoft_directmail_seperator" > Message-Id: <[EMAIL PROTECTED]> > Date: Mon, 13 Mar 2006 08:35:48 -0500 (EST) > X-ELNK-AV: 0 > X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000; > X-Spam-Virus: No > ===8<--- > > Now, just why a FORGED amazon.com Received header should cause this set of > rule hits I don't know:
>From the looks of it, earthlink is claiming that 80.33.31.58 RDNS'ed as amazon.com. So apparently this guy managed to forge his RDNS, or earthlink's header format is weird. This: from amazon.com ([80.33.31.58]) Matches the typical behavior of postgress when the RDNS matches the HELO.. I'm not sure if Earthlink's server does the same. This does also outline reason why whitelist_from_spf is better than whitelist_from_rcvd.. Forging RDNS is difficult, but if your ISP gives you sub-delegation of your RDNS then you can change it to be whatever you want.