I read that some spammers are known to place their own fake Received
headers to hopefully disguise the trail back to them and that you are
supposed to be able to tell if a another header is in between them.
For example, I received a spam that had this:
Received: from mailhost.iworld.com [63.95.15.3] (firewall-user)
by pilchuck.reedmedia.net with esmtp (Exim 3.12 #1 (Debian))
id 15kI6e-0003zC-00; Thu, 20 Sep 2001 21:40:04 -0700
Received: by mailhost.iworld.com; id AAA02815; Fri,
21 Sep 2001 00:40:06 -0400 (EDT)
From: <flagswholesale@???>
Received: from nodnsquery(10.1.4.47) by darienfw1.iworld.com via smap
(V5.5) id xma002793; Fri, 21 Sep 01 00:39:58 -0400
Received: from mailhost.iworld.com ([10.1.4.80]) by schubert.iworld.com
(Netscape Messaging Server 3.6) with ESMTP id AAA7398;
Fri, 21 Sep 2001 00:39:50 -0400
Received: by mailhost.iworld.com; id AAA16319; Fri,
21 Sep 2001 00:39:49 -0400 (EDT)
Received: from nodnsquery(63.95.15.15) by icom5-fw.iworld.com via smap
(V5.5)
id xma016131; Fri, 21 Sep 01 00:38:56 -0400
Received: from donghu.elv.com.cn ([202.106.113.131])
by relay2.iworld.com (8.11.2/8.11.2) with ESMTP id f8L4clZ17995;
Fri, 21 Sep 2001 00:38:49 -0400 (EDT)
Received: from transmit (ts003d18.buf-ny.concentric.net [206.173.43.126])
by donghu.elv.com.cn (8.9.2/8.9.2) with SMTP id MAA01754;
Fri, 21 Sep 2001 12:31:03 +0800 (CST)
Message-Id: <200109210431.MAA01754@???>
Are out-of-order Received headers a good indicator of spam? (In this case,
I don't think they are.)
Does anyone ever use any rules to check for fake Received headers for
blocking spam?
Jeremy C. Reed
http://www.isp-faq.com/