[Mimedefang] Received header and SA (was: Blacklist vs Access_db)

[Nels Lindquist]

On 12 Dec 2002 at 9:20, Nels Lindquist wrote:

> The last Received line, on the other hand, can be quite useful.  Even 
> if you don't do any DNS blackhole checking (which I do), a bunch of 
> date-shift checks and similar will utilize it.

This may be more significant than I realized.

>From a recent discussion on SpamAssassin involving the 
spamarchive.org corpuses, which apparently have *all* headers 
stripped:

On 30 Nov 2002 at 22:07, Daniel Quinlan wrote:

> 2. There are many local Received: header tests and the GA is tuned to
>    run with them working.  Without the local Received: tests working,
>    the GA is completely mistuned.
> 
>    All of these tests use Received: headers:
> 
>      FAKED_IP_IN_RCVD FORGED_EUDORAMAIL_RCVD FORGED_GW05_RCVD
>      FORGED_HOTMAIL_RCVD FORGED_JUNO_RCVD FORGED_MX_HOTMAIL
>      FORGED_RCVD_TRAIL FORGED_TELESP_RCVD FORGED_YAHOO_RCVD
>      GENUINE_EBAY_RCVD MDAEMON_2_7_4 POST_IN_RCVD RATWARE_EMWAC
>      RCVD_BY_QVES_COM RCVD_FAKE_HELO_DOTCOM RECEIVED_IDENT_SQUID
>      ROUND_THE_WORLD ROUND_THE_WORLD_LOCAL SHORT_RECEIVED_LINE
>      SMTPD_IN_RCVD T_IDENT_CACHEFLOW T_IDENT_NOBODY VAR_REF_IN_RECEIVED
>      YAHOO_MSGID_ADDED __EVITE_RCVD __RCVD_BY_HOTMAIL
> 
>   And that's not counting the many eval: tests that use Received:
>   internally: date difference tests, MTA tests, forged Received: header
>   tests, HELO tests, the round the world test, message-id timestamp
>   tests, etc.

The effect in MD/SA is somewhat mitigated due to the fact that 
it's only the *last* Received header which is typically absent when 
SA is called--and we know it'll be legit.  Still, I ran into a few 
false negatives before I made my changes that were due to its 
absence.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.