On Tue, Dec 10, 2002 at 10:14:02AM -0500, Vivek Khera wrote:
> As to determining if it is really ebay, well, that's a really good
> question. I guess if the last received header prior to your mail
> server's header is ebay, it would be a good hint.
Excellent suggestion. This begs a few additional questions:
Received: from mxpool07.ebay.com ([66.135.197.13]
helo=mx14.sjc.ebay.com) by intrepid.marinar.com ...
When checking these 'Received:' headers, should one perform a comparison
by hostname or IP? Arin reports that the IP is in fact registered to
Ebay, so the chances of it changing appear slim. It certainly is not a
good idea to base the tests on the EHLO command, and having tests check
the actual hostname are only valid as long as a PTR record exists.
I think it would be safe to test for '*.ebay.com'. The best place
to implement this (SA or Exim) is up as an exercise for me, but in SA
the test would look something like this (btw, I know nothing about SA
filters yet):
/^Received: from .*\.ebay\.com .* by intrepid\.marinar\.com/
But I imagine this could be bypassed with the right forged header.
The only way to lesson the possibility of forgery would be to check the
order of headers. I will explore the docs further and hopefully can
come up with something.
thanks to everyone involved in this thread,
hank
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
