Dave,
That's not an RFC violation, it's a problem with the code used to
extract the IP from the Received headers.
Matt
David Barker wrote:
Here is a message going through a Postini server.
---EXAMPLE
1---------------------------------------------------------------------------
--------------
Received: from xxxx.xxxxx.local ([127.0.0.1]) by xxxxxx.xom with Microsoft
SMTPSVC(6.0.3790.1830);
Wed, 30 Sep 2009 12:18:03 -0400
Return-Path: <dbar...@declude.com>
Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xxxxxx.net
with SMTP;
Wed, 30 Sep 2009 12:12:56 -0400
Received: from source ([216.144.195.81]) by exprod5mx277.postini.com
([64.18.4.10]) with SMTP;
Wed, 30 Sep 2009 11:16:38 CDT
Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com
with SMTP;
Wed, 30 Sep 2009 11:16:11 -0500
Reply-To: <dbar...@declude.com>
From: "David Barker" <dbar...@declude.com>
To: "xxx xxxx'" <x...@xxxxx.com>
----------------------------------------------------------------------------
-------------------------------
This line is good.
Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xxxxxx.net
with SMTP;
However this line is a problem.
Received: from source ([216.144.195.81]) by exprod5mx277.postini.com
([64.18.4.10]) with SMTP;
This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line.
The problem occurs when there are two IP addresses on the same line. The
first IP is considered as BOGUS and Declude picks up the second IP address
on this line.
For more information please review RFC 5321: [4.4]
David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, November 04, 2009 3:11 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi David:
I’m interested to better understand this feature. The line you posted looks
like a legit received header that Postini indeed should add to the top of
the headers when it receives the message from the source?
Received: from source ([209.85.221.110]) by exprod5mx260.postini.com
([64.18.4.10]) with SMTP;
Wed, 25 Mar 2009 14:45:20 CDT
Isn’t the MX of the recipient domain pointed to Postini’s server? So Postini
would be the first “received” header to be inserted before relaying the
message to the client’s internal mail server?
It might help if you actually posted what a header looked like before
Postini mangled it and what it looked like after Postini mangled it? I
guess, what I’m not grasping is, who inserted the “original” header that
Postini has tampered with – if Postini is the domain’s MX?
Best Regards,
Andy
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, November 04, 2009 2:54 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Scott,
Postini is violating RFC RFC 5321: [4.4]
" An Internet mail program MUST NOT change or delete a Received: line that
was previously added to the message header section. SMTP servers MUST
prepend Received lines to messages; they MUST NOT change the order of
existing lines or insert Received lines in any other location. "
Postini is changing the headers received line by adding the additional IP as
the example below.
Received: from source ([209.85.221.110]) by exprod5mx260.postini.com
([64.18.4.10]) with SMTP;
Wed, 25 Mar 2009 14:45:20 CDT
The problem is that a changed received line is an indication of a forged
header and is a flag for a bogus received line (a technique often used by
spammers). Because of this, the actual IP of the sender is not where it
should be, so we are giving our customers the option:
POSTINIFIX ON
Will identify the sending IP as 209.85.221.110
By Default if not present POSTINIFIX OFF
Will identify the sending IP as 64.18.4.10
David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
