At Thu Sep 18 15:03:43 2003, Chris Santerre wrote:
>
> I believe it was too big for SA to scan. But if it did, there are some spam
> signs below.
>
...
> > Received: from [66.254.7.10] by 209.83.8.50 with ESMTP id
>
> I always wondered why SA didn't have an eval to see that the IPs didn't
> match.
This is possible on a system which has multiple interfaces. I saw one
of these in a legitimate mail I received yesterday:
Received: from 10.32.0.3 (actually host 212.219.57.40) by xxxx.xxxx.ac.uk
with SMTP-SLOPPY with ESMTP; Thu, 18 Sep 2003 14:13:21 +0100
> We humans can see the obvious header pattern of this spam. But telling SA to
> see it is another thing.
> > <247056-92322>; Thu, 18 Sep 2003 17:31:45 -0200
> > Message-ID: <[EMAIL PROTECTED]>
>
> I believe that this message-id is incorrect for Outlook express.
> It should contain more then it does. Correct?
Yep.
...
> > X-OriginalArrivalTime: 18 Sep 2003 05:40:43.0603 (UTC)
> > FILETIME=[66E88230:01C37DA7]
>
> Is FILETIME a legit header or utter BS?
The original would have looked like this:
X-OriginalArrivalTime: 18 Sep 2003 05:40:43.0603 (UTC) FILETIME=[66E88230:01C37DA7]
and has been wrapped.
(FILETIME is a 64-bit counter starting from the Windows NT "epoch",
which is midnight UTC 1 Jan 1601. The count is in 100ns intervals.
One of its uses in Windows is for storing creation/modification times
in the NTFS filesystem.)
Martin
--
Martin Radford | "Only wimps use tape backup: _real_
[EMAIL PROTECTED] | men just upload their important stuff -o)
Registered Linux user #9257 | on ftp and let the rest of the world /\\
- see http://counter.li.org | mirror it ;)" - Linus Torvalds _\_V
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
