>...
>
><snip>
>
>What's up with all those "Delivered-To:" headers being inserted between
>Received: headers.
>
>I suspect those are confusing SA.
>
>Really the best way to tell exactly what's up is to save one of those messages
>that false-hit ALL_TRUSTED and run it through spamassassin -D.
>
>The debug out will, among other things, tell you exactly how SA parsed each
>Received: header, and if it thinks the hosts in it are trusted or not.
>
>
>> Received: from unknown (HELO 207.96.139.179) (unknown)
>> by unknown with SMTP; 9 Dec 2005 23:37:06 -0000
>
>That's a pretty scary Received: line. At least two of those unknown's should be
>known. At absolute minimum the "by" clause should be known... eek.
>
You've obviously never seen what kind of mess an "out-of-the-box"
qmail can do to *destroy* mail headers:
Received: from unknown (HELO lh) (unknown)
by unknown with SMTP; 4 Dec 2005 04:01:40 -0000
...
Received: from unknown (HELO 64.125.72.2) (unknown)
by unknown with SMTP; 4 Dec 2005 04:22:55 -0000
...
Received: from unknown (HELO billgates) (unknown)
by unknown with SMTP; 10 Dec 2005 14:24:28 -0000
...
Received: from unknown (HELO emailserver.day-ketterer.com) (unknown)
by unknown with SMTP; 10 Dec 2005 10:33:02 -0000
...
Of course the only data actually recorded is the *forged* helo:/
These come from someone who I let forward mail to me, which
unfortunately passes through a qmail server. Certainly can make tracking
things difficult!
If someone would like, I have many thousands of these in a saved
and archived mailbox (100% spam - a spam "feed") - just ask off-list.
Paul Shupak
[EMAIL PROTECTED]
