Hi, On Tue, Feb 26, 2008 at 15:56 +0000, Justin Mason wrote: > The fix would be to implement support for IPv6 trust paths: > > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4503 > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4964
Ok, so you're telling me that not only is this bug known, but it went unfixed fot over a year? I must admit that I don't know much of SAs internals or how hard it is to fix this "the correct way". However a bug like that should have been fixed -- or at least worked around by now. A simple workaround would be to hardcode a fake IP (like "0.0.0.0") for IPv6. But the bigger problem remains, and it is not the IPv6 stuff. The main problem here is, that if the first Received header is (for what reason ever) unparsable, all the other (spammer-controlled) headers are trusted if they have an "auth" part. I would say the default here is definitely the wrong way round. But then, I'm only a stupid user and who cares about those %) CU, Sec -- Not a perfect solution, but far cheaper than one.