Tony Finch wrote:
sureThe order and spacing of the items after the from keyword is wrong. TheReceived: from bay22-dav1.bay22.hotmail.com[64.4.16.181]:30781 (EHLO
hotmail.com) by mailgateway.sitc.dk ([195.231.241.98]:25) (F-Secure
Anti-Virus for Internet Mail 6.41.149 Release) with SMTP; Wed, 19 Jan
2005 19:41:14 -0000
specification for Received: lines is in RFC 2821. A correctly formatted
line would be something like
Received: from bay22-dav1.bay22.hotmail.com.[64.4.16.181].#30781 (EHLO ...)
would be the correct writing according to rfc821. but that wouldn't help parsers nor a person reading the headers:)
Anyway, there are a lot of malformed Received headers out there. One can't just drop the messages since Received headers were initially designed for debugging.
Moreover, the doc says that HELO_DYNAMIC_IPADDR means that a "relay helo'd using a suspicious hostname", which is clearly not the case here as can be seen from the "(EHLO hotmail.com)".
Would it be easy to detect "simple" cases of explicit helo such as this one (i.e. the case when we have "(helo foo)" as first or second comment in the from params) and in the case of "(.... helo foo)" and "(... helo=foo ...)", and when detected consider that the param of "from" is not the heloname but some hostname as viewed by the gateway that added the header (generally an rdns hostname, but it can be ignored if it's in some special form).
