[Spambayes] An alternate use

[T. Alexander Popiel]

In message:  <15811.56800.291193.255713@montanaro.dyndns.org>
             Skip Montanaro <skip@pobox.com> writes:
>
>I was using a spoof-proof mechanism from procmail before I disabled
>SpamAssassin.  I inserted my own header using formail:
>
>    :0H
>    * ! ^X-SA-Host:
>    {
>      :0fw
>      | spamc | $FORMAIL -a "X-SA-Host: `hostname --fqdn`"
>    }
>
>which says, "if there is no X-SA-Host header present, run spamc, add a
>header and include the fully qualified hostname".  If an X-SA-Host header is
>present it tells me spamc had already been run on this message (I was
>running SA on two different machines at the time).  That way I wasn't
>relying on SA's own headers to decide whether or not to run it.

This is not spoof-proof; it's merely relying on no one else inserting
an X-SA-Host header.  If any mail comes in with that header already
on it, you don't run SpamAssassin.  Even if you made the rule pay
attention to the hostname in the header, there's nothing preventing
someone from inserting a header with the right hostname.

The two obvious methods for making it reasonably spoof-proof are
comparing with routing information (and making sure that your
mail daemon (and all the upstream mail daemons that you trust)
reject mail from hosts that lie about their identity), or putting
a cryptographic signature in the header (signing the body + whatever
classification headers you're trusting because of the signature).
Verifying either of these methods is beyond the abilities of most
end-user filters.

- Alex