At 11:47 2004-06-03 +0200, Dallman Ross wrote:
> >I've been studying my "Last Received:" header entries. In
> >particular, the ones added by my server (pop server?) raq2.xxxx.com.
Seeing as the _bottommost_ ones shouldn't with any consistency have one's
own ISP involved, this description of the headers didn't seem to identify
the headers with the content you indicate. The topmost,
LAST-in-the-timeline headers would however, assuming you receive mail via
your ISP server, and if it's your POP server, it sort of stands to reason
that you do - excepting for people using crutches like fetchmail.
That said, most all of Sean's comments are still valid.
Uhm, for my own edification, which _weren't_ ?
Excepting the presumption of the server being "his" mail server (and for
the purpose of the ones referring to his ISP, that presumption should be
reasonably valid, even if the hardware isn't his legal property), it
certainly seems like they all still apply. Any given received header which
identified a host you reasonably know received the message (be it YOUR own
host, or a host you use - and know received it because it's the header
chronologically before yours and your host retrieves it from them, etc), is
inserted by the host identified in the "received: from .... (....) BY
*HOSTNAME* via ... with ID ... at ...." line (where HOSTNAME is the host
which you know was the recipient in the transaction).
Received headers chronologically prior to any host you can positively
identify reception by (linearly below it, in the order they are inserted
into the message headers) are all suspect, as Dallman has already pointed
out in his "putative" comment.
If these were indeed the bottommost, earliest, "first in the timeline"
received headers, then they should be identifying message transmission from
the original author to THEIR ISP mail server, not to yours.
I score the non-resolving IP ("no RDNS for host passing message to our
MX"), hosts identifying only by an IP ("no hostname at point of transfer to
our MX"), some suspicious hostnames ("Received headers include suspicious
reference"), the "may be forged" warning, from my own host (spammers now
frequently try to send messages using an EHLO of the same hostname as the
host/domain portion of the address they're sending to), and a host of other
Received: header anomalies.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail