No typo.. there is indeed no space between the close-paren and "by." Additionally, looking at some upstream headers on some of this spam I see the same thing from other mailers:
Received: from p508d7ae3.dip.t-dialin.net (p508D7AE3.dip.t-dialin.net [80.141.122.227])by myhost.mydomain.com (8.13.1/8.13.1) with SMTP id i9UEUCgw006599;Sat, 30 Oct 2004 10:30:21 -0400 Received: from wproxy.gmail.com ###(CR added for clarity) ([76.47.52.220]:61893 "EHLO mproxy.gmail.com")by avas-mx17.boardermail.com with ESMTP id S131155AbUJINgX;Sat, 30 Oct 2004 09:46:49 -0500 Actually, now that I look, even my ham - this mailing list in particular - follow that format - you sure it isn't normal? Received: from [63.240.76.165] (HELO sccimhc91.asp.att.net) (63.240.76.165)by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 30 Oct 2004 07:21:42 -0700 Received: from linus.heise.nu (12-223-226-13.client.insightbb.com[12.223.226.13])by sccimhc91.asp.att.net (sccimhc91) with ESMTPid <20041030142139i9100hp1ime>; Sat, 30 Oct 2004 14:21:40 +0000 Received: from linus.heise.nu (linus.heise.nu [192.168.1.101])by linus.heise.nu (8.12.10/8.12.10) with ESMTP id i9UELdw6003612for <users@spamassassin.apache.org>; Sat, 30 Oct 2004 09:21:39 -0500 Theo Van Dinter wrote .. > On Sat, Oct 30, 2004 at 12:53:31PM -0400, [EMAIL PROTECTED] wrote: > > debug: received-header: unknown format: from harmonypets.every1.net > > ([222.47.73.116])by > myhost.mydomain.com (8.13.1/8.13.1) with SMTP id i9UBhAFh025756;Sat, 30 > Oct 2004 07:43:12 -0400 > > > > I looked at the parse_received_headers code, and I can see some tests > that I thought this would match. One potential difference is no "for" > message.. received from * by * with * "for". My headers don't have that > for line often while many of the regexs seem to expect that. Is this a > common format I should have? Is my sendmail tweaked? Any known changes > in the header format added by sendmail 8.13.1 that could be slipping through > all the regexs? > > The problem in the format is that there is no space between ")" and "by". > Was > that a cut/paste error, or the actual received header? By adding the space > in, the header is parsed just fine. > > For example, I have lots of Sendmail 8.13.x Received headers in my corpus, > and they all work fine: > > Received: from mcafee.wpi.edu (mcafee.WPI.EDU [130.215.36.86]) > by mail1.WPI.EDU (8.13.1/8.13.1) with SMTP id i95Hxq8F018271; > Tue, 5 Oct 2004 13:59:52 -0400 > > becomes: > > debug: received-header: parsed as [ ip=130.215.36.86 rdns=mcafee.WPI.EDU > helo=mcafee.wpi.edu by=mail1.WPI.EDU ident= envfrom= intl=0 id=i95Hxq8F018271 > ] > > -- > Randomly Generated Tagline: > ..you could spend *all day* customizing the title bar. Believe me. I > speak from experience." > (By Matt Welsh)
