6.9.1 ORF Online Help
Select your ORF version:

Table of Contents

Header Analysis

This help section describes the email header delivery path analysis: this is how ORF determines the sender IP address of an email which will be used for the IP-based tests at the On Arrival filtering point.

To understand the entire process, it is recommended to read the Filtering Points Concept and Intermediate Host List topics as well.

Delivery path

When an email is relayed through multiple hosts, each adds its own information to the email MIME header as Received: from lines, so the delivery path of the email can be examined in the email header by ORF:

Email Header
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from secondarymx.domain.tld ([5.5.5.5]) by primarymx.domain.tld with Microsoft SMTPSVC(5.0.6462.1250);
  Mon, 24 May 2004 09:45:47 -0100
Received: from mailrelay.isp.tld ([3.3.3.3]) by secondarymx.domain.tld with Microsoft SMTPSVC(5.0.6462.1250);
  Mon, 24 May 2004 09:45:45 -0100
Received: from adsl-1-2-3-4.dsl.isp.tld (1.1.1.1)
  by mailrelay.isp.tld with SMTP; 24 May 2004 11:54:17 +0200
Message-ID: <223112573957.43227@[email protected]>
Reply-To: "Kerri Francis" <[email protected]>
From: "Kerri Francis" <[email protected]>
To: "Spammed" <[email protected]>
Subject: Home delivery on all meds
Date: Mon, 24 May 2004 13:46:45 +0300
MIME-Version: 1.0 (produced by fleeingencapsulatevernier 61.25)
Content-Type: multipart/alternative;
  boundary="--40091327580672012"

Note that the header is available at the On Arrival filtering point only. At Before Arrival, ORF will simply use the connecting IP address for the IP-based tests, or (if the connecting IP is an Intermediate Host) it will wait for the header to arrive and test the email at On Arrival.

Analysis Explained

The analysis starts with the first IP address in the delivery path (the latest delivery hop). ORF checks whether the IP is listed on the Intermediate Host List and steps to the next hop if it is.

The local host address (127.0.0.1), Class A, B and C private intranet address ranges, and the IPv6 link-local and IPv6 unique local address ranges are treated as they were part of the Intermediate Host list by default. (Class A intranet: 10.0.0.0 - 10.255.255.255, Class B intranet: 172.16.0.0 - 172.31.255.255, Class C intranet: 192.168.0.0 - 192.168.255.255, IPv6 link-local: fe80::/10, IPv6 unique local: fc00::/7)

These addresses are hardcoded and cannot be removed from the Intermediate Host List.

Stepping down in the list continues until the first non-intermediate host is found, and the IP of that host will be used during IP-based tests at the On Arrival filtering point.

Delivery hops

The delivery hops from the above header are:

  • 5.5.5.5, index = 1
  • 3.3.3.3, index = 2
  • 1.1.1.1, index = 3

The email seems to be sent from 1.1.1.1 (looks like DSL line) via a relay at 3.3.3.3 (looks like the DSL user's ISP mail relay) to the secondary MX of domain.tld (5.5.5.5). The secondary MX relayed the email to the primary MX (primarymx.domain.tld) where ORF runs.

Analysis & results

Let us assume that 5.5.5.5 (the secondary MX for domain.tld) is on the Intermediate Host List—it should be there.

The analysis will go as:

  • Remote Peer IP: 5.5.5.5 is on the Intermediate Host List, skip to the next delivery hop.
  • Sender IP: 3.3.3.3 is neither on the Intermediate Host List, nor a local or intranet address: we can end the analysis here.
  • Source IP: 1.1.1.1 is the host that originally sent the email.

The result of the analysis is that the server resposible for the delivery of the email to your network was 3.3.3.3, so ORF will use this IP for its IP-based tests.

Copyright © Vamsoft Ltd. 2024. All rights reserved. Document ID headeranalysis, version 3.