From: Trevor J. <Trevor@Videlicet.com> - 2008-12-23 00:37:27
|
> It does not identify your own server as suspicious, If so, then the analysis results should say something other than 'suspicious.' > it found "by mini.THJ.ca" in the header. This is to be expected. For example, your e-mail to the list produced this: Return-Path: <ass...@li...> Received: from mini.thj.ca ([unix socket]) by mini.thj.ca (Cyrus v2.3.8-OS X Server 10.5: 9F33) with LMTPA; Mon, 22 Dec 2008 19:00:12 -0500 X-Sieve: CMU Sieve 2.3 Received: from localhost (localhost [127.0.0.1]) by mini.thj.ca (Postfix) with ESMTP id 03AF0534CF5 for <Tr...@vi...>; Mon, 22 Dec 2008 19:00:12 -0500 (EST) X-Virus-Scanned: amavisd-new at thj.ca Received: from mini.thj.ca ([127.0.0.1]) by localhost (mini.thj.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SB1o7i3bfwCt for <Tr...@vi...>; Mon, 22 Dec 2008 19:00:09 -0500 (EST) Received: from lists.sourceforge.net (localhost [127.0.0.1]) by mini.thj.ca (Postfix) with ESMTP id 36B8E534CE8 for <Tr...@vi...>; Mon, 22 Dec 2008 19:00:09 -0500 (EST) Received: from localhost ([127.0.0.1] helo=sfs- ml-4.v29.ch3.sourceforge.com) by 335xhf1.ch3.sourceforge.com with esmtp (Exim 4.69) (envelope-from <ass...@li...>) id 1LEufN-0008Ic-CS; Mon, 22 Dec 2008 23:58:29 +0000 Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.122] helo=mx.sourceforge.net) by 335xhf1.ch3.sourceforge.com with esmtp (Exim 4.69) (envelope-from <fb...@iw...>) id 1LEufM-0008IX-NF for ass...@li...; Mon, 22 Dec 2008 23:58:28 +0000 X-ACL-Warn: Received: from gate04.vnet.de ([62.157.206.202]) by 72vjzd1.ch3.sourceforge.com with esmtp (Exim 4.69) id 1LEufJ-0003AU-61 for ass...@li...; Mon, 22 Dec 2008 23:58:28 +0000 Received: from domainmail.vnet.de (62.157.206.203) by gate04.vnet.de with ESMTP (EIMS X 3.3.7) for <ass...@li...>; Tue, 23 Dec 2008 00:58:48 +0100 Received: from domainmail.vnet.de ([62.157.206.203] helo=domainmail.vnet.de) by assp01.vnet.de; 23 Dec 2008 00:58:23 +0100 Received: from mail04.nordlichter.de (62.157.206.197) by domainmail.vnet.de with ESMTP (EIMS X 3.3.7) for <ass...@li...>; Tue, 23 Dec 2008 00:58:22 +0100 > The "by" word together with a local domain is a good indicator for > Spam. Perhaps, but a set of e-mail header entries as above show that if the first one (or more Received:) are for the local domain. All mail programmes I have used have put their 'received by' in the last one or more header entries. This should not cause a problem, i.e. this/these latest entries should not be regarded as suspicious, because we would expect the last ones to be from our own mail servers. If the 'chain' of domain names is broken and then the 'older' ones have our local server domain in them, this might be regarded as suspicious. I would have expected testing the headers to take this into account. Maybe it's too difficult to test effectively the order in which the received servers report their part in the Received: chain. > However set DoBombHeaderByLocalDomain to "off" if rgis is not > fitting to you. I've changed it. :-) T. |