View Single Post
Old 22 Feb 2007, 09:05 AM   #11
robmueller
Intergalactic Postmaster
 
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102

Representative of:
Fastmail.FM
Basically spamassassin already includes a Received: header parser that tries to break a Received header down into a common format (for the interested, it's a several hundred line function that tries to match against many, many different formats since there's no standard Received format).

http://search.cpan.org/src/FELICITY/...ta/Received.pm

Now by default, spamassassin will search back through the Received headers to find the IP the message was received from into the local system. All we do is extend the length it keeps searching back to include extra "trusted" hosts.

So lets say we added "ams.org" as a trusted host. Then this line:

Code:
Received: from ams.org (mail01.ams.org [130.44.1.106])
	by mx2.messagingengine.com (Postfix) with ESMTP id 907F91DE08D
	for <member@myself.123mail.or9>; Tue, 20 Feb 2007 09:53:09 -0500 (EST)
Would be broken down by SA into:

Code:
  my $relay = {
    ip => '130.44.1.106',
    rdns => 'mail01.ams.org',
    by => 'mx2.messagingengine.com',
    helo => 'ams.org',
    id => '907F91DE08D',
  };
We look at the rdns value (mail01.ams.org), and see if it's in our trusted host list. It's not, so we strip the /^[^.]*\./ from the front to get "ams.org" and try again. This is in our trusted host list.

Now we need to check that the header isn't forged, and the ips are actually real. So we do a DNS lookup on mail01.ams.org to get the IPs.

Code:
$ dig +short mail01.ams.org
130.44.1.106
And we see this does match the IP in the header, so we trust this Received header, and move on to the next one. Repeating this process would get us to:

Code:
Received: from narkis.wisdom.weizmann.ac.il (narkis.wisdom.weizmann.ac.il [132.76.80.32])
	by smtp.ams.org (8.12.11.20060308/8.12.11) with ESMTP id l1KEr4Fg006136
	for <myself@member.ams.or9>; Tue, 20 Feb 2007 09:53:05 -0500
As the header of interest to check the handoff IP against.

With the second example, assuming we trust bezeqint.net, we can see a similar process. The only odd one is:

Code:
Received: from localhost (localhost [127.0.0.1])
	by mas21.bezeqint.net (MOS 3.7.3a-GA)
	id CQE91258;
	Tue, 13 Feb 2007 06:43:35 +0200 (IST)
But since 127.0.0.1 is obviously an internal handoff, I'm pretty sure SA trusts this header and moves on.


Rob
robmueller is offline   Reply With Quote