[Mimedefang] Received header and SA (was: Blacklist vs Access_db)
Nels Lindquist
nlindq at maei.ca
Thu Dec 12 12:40:00 EST 2002
On 12 Dec 2002 at 9:20, Nels Lindquist wrote:
> The last Received line, on the other hand, can be quite useful. Even
> if you don't do any DNS blackhole checking (which I do), a bunch of
> date-shift checks and similar will utilize it.
This may be more significant than I realized.
>From a recent discussion on SpamAssassin involving the
spamarchive.org corpuses, which apparently have *all* headers
stripped:
On 30 Nov 2002 at 22:07, Daniel Quinlan wrote:
> 2. There are many local Received: header tests and the GA is tuned to
> run with them working. Without the local Received: tests working,
> the GA is completely mistuned.
>
> All of these tests use Received: headers:
>
> FAKED_IP_IN_RCVD FORGED_EUDORAMAIL_RCVD FORGED_GW05_RCVD
> FORGED_HOTMAIL_RCVD FORGED_JUNO_RCVD FORGED_MX_HOTMAIL
> FORGED_RCVD_TRAIL FORGED_TELESP_RCVD FORGED_YAHOO_RCVD
> GENUINE_EBAY_RCVD MDAEMON_2_7_4 POST_IN_RCVD RATWARE_EMWAC
> RCVD_BY_QVES_COM RCVD_FAKE_HELO_DOTCOM RECEIVED_IDENT_SQUID
> ROUND_THE_WORLD ROUND_THE_WORLD_LOCAL SHORT_RECEIVED_LINE
> SMTPD_IN_RCVD T_IDENT_CACHEFLOW T_IDENT_NOBODY VAR_REF_IN_RECEIVED
> YAHOO_MSGID_ADDED __EVITE_RCVD __RCVD_BY_HOTMAIL
>
> And that's not counting the many eval: tests that use Received:
> internally: date difference tests, MTA tests, forged Received: header
> tests, HELO tests, the round the world test, message-id timestamp
> tests, etc.
The effect in MD/SA is somewhat mitigated due to the fact that
it's only the *last* Received header which is typically absent when
SA is called--and we know it'll be legit. Still, I ran into a few
false negatives before I made my changes that were due to its
absence.
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the MIMEDefang
mailing list