On 21 Nov 2016, at 17:54, Pedro David Marco wrote:
Hi,
i have spam emails with a Received line like this:
Received: by 9-30-239-23.uocdn.net (Postfix) with ESMTPSA id 693A0C56B
with (unknown [158.69.130.12]) ; Sun, 20 Nov 2016 21:06:55 -0300
there is no parsing perl code for lines like this in Received.pm
module so the relay 158.69.130.12 is never checked
is this normal?
Yes. Why would anyone want SA to attempt to parse an intentionally
deceptive Received header?
Unadulterated Postfix does not now generate (and never has generated)
Received headers like that. The queue id is too short and the header
would start with 'from' not 'by' if it was actually Postfix generating
it as claimed. That looks like some moron spammer tried to weld together
the 2-part mutant qmail Received format and label it as Postfix for
obfuscation. I don't know why some spammers do this sort of lame
Received fakery, since it fingerprints their mail as spam, but it has
been a fairly common practice for a long time.