Nick Leverton wrote:
SA assumes that hosts named in trusted_networks (i.e. those hosts which accept mail on your behalf) can be relied upon to report the correct incoming IP address, and checks that the last untrusted hop matches the third term in the rule. Doesn't matter if a spammer fakes it further down the Received lines, it's the one where they deliver it to your network that counts.
Nick
This rule set seems to work pretty, in the limited time I've tested it. I've now used the same rule set for paypal, ebay, aol, equifax, chase, and etrade.
It actually would be nice to have a broad rule that says, "if the domain in the FROM address does not have a header with a valid/matching reverse IP lookup in the header then score with -x points."
Dan
