i've just received a spam message, with a faked SMTP header entry:
Received: from unknown (HELO mohamand) (18.104.22.168)
by uhweb150XX.united-hoster.com with SMTP; 25 Nov 2006 22:23:13 +0100
Received: from 22.214.171.124 (HELO mx2.magic.fr)
by x.de with esmtp (0T*7Y0,8T1+) 5448M)
for x[at]x.de; Sat, 25 Nov 2006 21:22:52 -0120
The first entry is the correct SMTP header entry from my mail server. The second one is completely faked. (x[at]x.de is the mail address where the spam was send to, and x.de is the correct hostname). The from-IP-address which was used, seems to be chosen from the spammer (maybe randomly).
The problem is: The SpamCop parser (and maybe others) takes this faked SMTP entry for real and blame the wrong target.
Is there a way to avoid this, or maybe to build in a workaround for something like this in SpamCop?
Thanks and Regards,
Edit: PS: Maybe it's possible to verify the whole way through the SMTP servers (by matching the "from IP" of every entry with the "by IP" from the entry before)?