>> >> Hello Wolfgang! >> >> You forgot to cc your posting to the list. >> >> [EMAIL PROTECTED] wrote: >> > Hi, >> >=20 >> > common cases that SA recognizes declare auth in the received headers, i= >> =2Ee. per hop >> > (received ... with ESMPTA) >> > Whether X-Authenticated (or any other separate header) would be useful = >> at all depends >> > on whether they remove it from incoming mails. I have sent you a test m= >> essage >> > to your gmx account >> >=20 >> > Wolfgang >> >> Your message still contained the X-Authenticated header upon arriving at >> my machine, although at a different location that it would for mails >> received from mail.gmx.net. So X-Authenticated is far from reliable. >> >> ESMTPA (I guess that's what you meant?) sounds easy enough to implement >> if you want to, so I'll try contact GMX and ask them to change their >> Received header if possible. >> >> Thank's for your help, >> Martin >> >>
Hi, when using per-hop auth info from the received headers (ESMTPA is just one way to spell it; some other mailers use different patterns), a recipient can analyze the mail like: it was sent from a dynamic ip but authenticated, so the server that sent on the mail does consider the sender a valid customer. Next, one (or SA) would check that server - and it does, of course, have a static ip, rDNS, and looks ok. If someone were to send spam right from a dynamic ip to the recipient server, but adding a few fake received lines at the beginning, an auth'd connection would still cause SA to start looking at the next "server" - which in that case is the spam sender with a dynamic ip In contrast, the X-authenticated line is just a promise, added by one - unidentified - party in the chain that the mail get authenticated. As you have seen, even the initial sender can add it. It is informative but not at all valuable. Yes, it would be nice for GMX to add some standard tokens to the received lines indicating that the mail was received via authenticated smtp (from a mail client) or via http (from webmail) Wolfgang
