5.5.1 ORF Online Help
Select your ORF version:

Table of Contents

Header Analysis

This help section describes the email header delivery path analysis: this is how ORF determines the source IP address of an email which will be used for the IP-based tests at the On Arrival filtering point.

To understand the entire process, it is recommended to read the Filtering Points Concept and Intermediate Host List topics as well.

Delivery path

When an email is relayed through multiple hosts, each adds its own information to the email MIME header as Received: from lines, so the delivery path of the email can be examined in the email header by ORF:

Email Header
Return-Path: <EABWZLYTQQGDEX@msn.com>
Delivered-To: spammed@domain.tld
Received: from secondarymx.domain.tld ([5.5.5.5]) by primarymx.domain.tld with Microsoft SMTPSVC(5.0.6462.1250);
  Mon, 24 May 2004 09:45:47 -0100
Received: from mailrelay.isp.tld ([3.3.3.3]) by secondarymx.domain.tld with Microsoft SMTPSVC(5.0.6462.1250);
  Mon, 24 May 2004 09:45:45 -0100
Received: from adsl-1-2-3-4.dsl.isp.tld (1.1.1.1)
  by mailrelay.isp.tld with SMTP; 24 May 2004 11:54:17 +0200
Message-ID: <223112573957.43227@EABWZLYTQQGDEX@msn.com>
Reply-To: "Kerri Francis" <EABWZLYTQQGDEX@msn.com>
From: "Kerri Francis" <EABWZLYTQQGDEX@msn.com>
To: "Spammed" <spammed@domain.tld>
Subject: Home delivery on all meds
Date: Mon, 24 May 2004 13:46:45 +0300
MIME-Version: 1.0 (produced by fleeingencapsulatevernier 61.25)
Content-Type: multipart/alternative;
  boundary="--40091327580672012"

Note that the header is available at the On Arrival filtering point only. At Before Arrival, ORF will simply use the connecting IP address for the IP-based tests, or (if the connecting IP is an Intermediate Host) it will wait for the header to arrive and test the email at On Arrival.

Analysis Explained

The analysis starts with the first IP address in the delivery path (the latest delivery hop). ORF checks whether the IP is listed on the Intermediate Host List and steps to the next hop if it is.

The local host address (127.0.0.1) and Class A, B and C private intranet address ranges are treated as they were part of the Intermediate Host list by default. (Class A intranet: 10.0.0.0 - 10.255.255.255, Class B intranet: 172.16.0.0 - 172.31.255.255 and Class C intranet: 192.168.0.0 - 192.168.255.255.)

These addresses are hardcoded and cannot be removed from the Intermediate Host List.

Stepping down in the list continues until the first non-intermediate host is found, and the IP of that host will be used during IP-based tests at the On Arrival filtering point.

Delivery hops

The delivery hops from the above header are:

  • 5.5.5.5, index = 1
  • 3.3.3.3, index = 2
  • 1.1.1.1, index = 3

The email seems to be sent from 1.1.1.1 (looks like DSL line) via a relay at 3.3.3.3 (looks like the DSL user's ISP mail relay) to the secondary MX of domain.tld (5.5.5.5). The secondary MX relayed the email to the primary MX (primarymx.domain.tld) where ORF runs.

Analysis & results

Let us assume that 5.5.5.5 (the secondary MX for domain.tld) is on the Intermediate Host List—it should be there.

The analysis will go as:

  • 5.5.5.5 is on the Intermediate Host List, skip to the next delivery hop.
  • 3.3.3.3 is neither on the Intermediate Host List, nor a local or intranet address: we can end the analysis.

The result of the analysis is that the sender server was 3.3.3.3, so ORF will use this IP for its IP-based tests.

Copyright © Vamsoft Kft. All rights reserved. Document ID headeranalysis, version 1.