On 6/16/2004 5:29 PM, Justin Mason wrote:
> Eric A. Hall writes:
>
>> Anybody got any thoughts on this? Is it doable? If not, can somebody
>> start thinking about macros for a future rev that will make this more
>> possible, something like RECEIVED_0, RECEIVED_FIRST, or whatever?
> "X-Spam-Relays-Untrusted" is a pseudoheader that does this. It's
> generated based on the parsed Received header data, and the first
> stanza in it will always be the first untrusted handover found in the
> message.
>
> It's not visible in the output normally, but you can see what it looks
> like by running a message through sa with -D on.
I don't see that line in the 2.63 output. Is it the same as the line that
reads "debug: received-header: parsed as [...]"? If so, that line doesn't
provide all the stuff I want to check.
Specifically I want to do transfer-layer probabilities against:
"with SMTP" versus "with ESMTP" -- spambots use SMTP more often
than honest mailers (my local clients aren't checked here)
TLS -- spambots don't use TLS (although some worms do inherit TLS
from screwed local mailers), but lots of honest mailers do
valid hostname-HELO matching -- there is some testing for this
already but I want to do my own for meta testing
etcetera.
I like the structured data but it would be really great if these were
presented in a macro array like RECEIEVED[0] or the like.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
