On Tue, 22 Nov 2016 12:18:14 -0500
Bill Cole wrote:
> On 22 Nov 2016, at 0:48, Pedro David Marco wrote:
>
> > Thanks Bill,
> >> . I don't know why some spammers do this sort of lame
> >> Received fakery, since it fingerprints their mail as spam, but it
> >> has been a fairly common practice for a long time.
> > But SA did not trigger any rule about the forgering...
>
> I'm surprised that it didn't trigger UNPARSEABLE_RELAY, but it is
> hard to know why based on one isolated header.
SA ignores headers like this:
Received: by 10.28.48.15 with SMTP id w15csp2319529wmw;
Tue, 22 Nov 2016 11:10:36 -0800 (PST)
because they don't affect anything. For a received header to count as
unparseable it has to have a "from".
> > and debug mode does not showany message about unparseable lines.
> > It seems just ignored, so the relay remains unchecked in RBLS.
>
> As it should. Untrusted relays are untrusted. There's no reason to
> believe ANYTHING in that header. The string in it that looks like an
> IP address might as well be 234.567.891.0.
It's fine to used untrusted IP addresses in positive scoring rules.
There's just not much advantage in trying to extract IP addresses from
all the possible variants of forged header.
