Fragment of my sendmail.mc:
KCH1 regex -a@YES
outblaze|check1check|mindspring|bigfoot|funnymail|bellsouth.net|
tiscali.(it|nl|fr)|wanadoo.(it|nl|fr)|nic.*olastse.(com|net)|
videotron.ca|blueyonder|mailcity[.]|mexico|comcast.net|earthlink.com|
libertysurf.net|mozartmail.com|telepac.pt|edomex.com|quintanaroo.com|
telia.com|hideakifan.com|icq.com|delphi.com|optonline.net|
interbusiness.it
                -------------
[skip]
KChHeader sequence CH1 CH2 CH3 CH4 CH5 CH6

HReceived:                      $>+CheckReceived
SCheckReceived
R$*                     $: $(ChHeader $1 $)
R@YES                   $#error $: "553 There is spam domain in the
header."

----------
These rules catched domain "telia.com".
maillog:

Jan 16 18:29:35 mail sendmail[16777]: m0GDTVAR016777: from=<>,
size=3420, class=0, nrcpts=1,
msgid=<20080116132132.BD72257...@an.ru>, proto=ESMTP, daemon=MTA,
relay=relay.an.ru [213.142.209.142]
Jan 16 18:29:35 mail drweb-smf[16782]: [m0GDTVAR016777]: scan: the
message(drweb.tmp.gYnh0y) sent by <> to consig...@anrb.ru is passed
Jan 16 18:29:35 mail drweb-smf[16782]: [m0GDTVAR016777]: processing
message from <> is over
Jan 16 18:29:35 mail sendmail[16777]: m0GDTVAR016777: Milter add:
header: X-Antivirus: Dr.Web (R) for Mail Servers on mail host
Jan 16 18:29:35 mail sendmail[16777]: m0GDTVAR016777: Milter add:
header: X-Antivirus-Code: 100000
Jan 16 18:29:36 mail sendmail[16777]: m0GDTVAR016777: Milter add:
header: X-Spam-Ystatus: hits=-7.50
Jan 16 18:29:36 mail sendmail[16777]: m0GDTVAR016777: Milter add:
header: X-Spam-Flag: NO
Jan 16 18:29:36 mail sendmail[16777]: m0GDTVAR016777: Milter add:
header: X-Spam-Yversion: Spamooborona-2.1.0
Jan 16 18:29:36 mail sendmail[16796]: m0GDTVAR016777:
ruleset=CheckReceived, arg1= from h195n2fls301o260.telia.com
(81.230.233.195) by pne-smtpout2-sn1.fre.skanova.net
(7.3.129)\n        id 478E02C700000E83 for ipnfi...@olcon.murmansk.ru;
Wed, 16 Jan 2008 14:21:05 +0100, relay=relay.an.ru [213.142.209.142],
reject=553 5.0.0 <consig...@anrb.ru>... There is spam domain in the
header."
Jan 16 18:29:36 mail sendmail[16796]: m0GDTVAR016777:
to=<consig...@anrb.ru>, delay=00:00:01, xdelay=00:00:00, mailer=local,
pri=33750, dsn=2.0.0, stat=Sent

------------

But there isn't telia.com in the main header.
It is in the internal Received in the message body:
Received: from h195n2fls301o260.telia.com (81.230.233.195) by pne-
smtpout2-n1.fre.skanova.net (7.3.129)       id 478E02C700000E83 for
ipnfi...@olcon.murmansk.ru; Wed, 16 Jan 2008 14:21:05 +0100

It seems that the original spam mail had the forged sender address and
bounce message delivered to my user.

Return-Path: <MAILER-DAEMON>
Received: from an.ru (relay.an.ru [213.142.209.142])
        by mail.anrb.ru (8.14.2/8.14.2) with ESMTP id m0GDTVAR016777
        for <consig...@anrb.ru>; Wed, 16 Jan 2008 18:29:35 +0500
Received: by an.ru (Postfix)
        id BD722578F5; Wed, 16 Jan 2008 16:21:32 +0300 (MSK)
Date: Wed, 16 Jan 2008 16:21:32 +0300 (MSK)
From: MAILER-DAE...@an.ru (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: consig...@anrb.ru
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="9B4B0578DF.1200489692/an.ru"
Message-Id: <20080116132132.BD72257...@an.ru>
X-Antivirus: Dr.Web (R) for Mail Servers on mail host
X-Antivirus-Code: 100000
X-Spam-Ystatus: hits=-7.50
X-Spam-Flag: NO
X-Spam-Yversion: Spamooborona-2.1.0
Status: RO

This is a MIME-encapsulated message.

--9B4B0578DF.1200489692/an.ru
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host an.ru.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

                        The Postfix program

<ipnfi...@olcon.murmansk.ru>: mail for olcon.murmansk.ru loops back to
myself

--9B4B0578DF.1200489692/an.ru
Content-Description: Delivery error report
Content-Type: message/delivery-status

Reporting-MTA: dns; an.ru
Arrival-Date: Wed, 16 Jan 2008 16:21:32 +0300 (MSK)

Final-Recipient: rfc822; ipnfi...@olcon.murmansk.ru
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; mail for olcon.murmansk.ru loops back to
myself

--9B4B0578DF.1200489692/an.ru
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from localhost (localhost [127.0.0.1])
        by relay.an.ru (Postfix) with ESMTP id 9B4B0578DF
        for <ipnfi...@olcon.murmansk.ru>; Wed, 16 Jan 2008 16:21:32
+0300 (MSK)
Received: from an.ru ([127.0.0.1])
 by localhost (relay.an.ru [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP
 id 70724-08 for <ipnfi...@olcon.murmansk.ru>;
 Wed, 16 Jan 2008 16:21:32 +0300 (MSK)
Received: from pne-smtpout2-sn1.fre.skanova.net (pne-smtpout2-
sn1.fre.skanova.net [81.228.11.159])
        by an.ru (Postfix) with ESMTP id 1EB9F578DA
        for <ipnfi...@olcon.murmansk.ru>; Wed, 16 Jan 2008 16:21:29
+0300 (MSK)

Received: from h195n2fls301o260.telia.com (81.230.233.195) by pne-
smtpout2-
=========================================================
n1.fre.skanova.net (7.3.129)
        id 478E02C700000E83 for ipnfi...@olcon.murmansk.ru; Wed, 16
Jan 2008 14:21:05 +0100

Received: from [67.78.43.200] (HELO SWADLT)
        by 81.230.233.195 (CommuniGate Pro SMTP 5.0.11)
        with SMTP id 40127220 for ipnfi...@olcon.murmansk.ru; Wed, 16
Jan 2008 14:21:14 +0100
Message-ID:
<002001c85842$abedbfb0$c3e9e...@h195n2fls301o260.telia.com>
From: "Àâàíñ - Ñ-Ïèòåð" <ip...@admiral.ru>
To: <ipnfi...@olcon.murmansk.ru>
Subject: Ïëåíêà òåðìîóñàäî÷íàÿ
Date: Wed, 16 Jan 2008 14:21:14 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_001D_01C8584B.0D3863D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3568
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3141
X-Virus-Scanned: by amavisd-new at an.ru
X-Amavis-Alert: BAD HEADER Non-encoded 8-bit data (char C0 hex) in
message header 'From'
  From: "\300\342\340\355\361 - \321-\317\350\362\345\360"...
^

This is a multi-part message in MIME format.

------=_NextPart_000_001D_01C8584B.0D3863D0
Content-Type: text/plain;
        charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

lvtr
------=_NextPart_000_001D_01C8584B.0D3863D0
Content-Type: text/html;
        charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_001D_01C8584B.0D3863D0--
--9B4B0578DF.1200489692/an.ru--

I read that "sendmail.cf checks only "top level headers" (http://
groups.google.com/group/comp.mail.sendmail/browse_frm/thread/
fb23a981c96bf80b/e43880ae2f6bccde?tvc=1&q=sciurus).

But what does this maillog record mean
( ruleset=CheckReceived ...reject=553 ...)?

Does it mean that sendmail.cf checks internal headers anyway but the
result doesn't matter for sendmail?

Sometimes the same thing happens with other rulesets (CheckSubject,
CheckFrom, CheckHeader).
 Now i use sendmail8.14.2 but it also hapened in the previous
versions.

Thanks in advance,
Diana.
http://www.anrb.ru/linux/sendmail.html

news:9901f586-abc7-499d-9e2d-f9a2c328d53e@k39g2000hsf.googlegroups.com...
Fragment of my sendmail.mc:
KCH1 regex -a@YES outblaze|check1check|mindspring|bigfoot|...
-------------
[skip]
KChHeader sequence CH1 CH2 CH3 CH4 CH5 CH6

HReceived:                      $>+CheckReceived
SCheckReceived
R$*                     $: $(ChHeader $1 $)
R@YES                   $#error $: "553 There is spam domain in the
header."
----------
=> 553?  Should be 554.  553 implies a syntax error was found.  "554 5.7.1
...." is the correct error sequence for what you're doing.

These rules catched domain "telia.com".  maillog:

Jan 16 18:29:35 mail sendmail[16777]: m0GDTVAR016777: from=<>, size=3420,
class=0, nrcpts=1,
...
ruleset=CheckReceived, arg1= from h195n2fls301o260.telia.com
(81.230.233.195) by pne-smtpout2-sn1.fre.skanova.net (7.3.129)\n        id
478E02C700000E83 for ipnfi...@olcon.murmansk.ru; Wed, 16 Jan 2008 14:21:05
+0100, relay=relay.an.ru [213.142.209.142], reject=553 5.0.0
<consig...@anrb.ru>... There is spam domain in the header."
Jan 16 18:29:36 mail sendmail[16796]: m0GDTVAR016777:
to=<consig...@anrb.ru>, delay=00:00:01, xdelay=00:00:00, mailer=local,
pri=33750, dsn=2.0.0, stat=Sent
------------

But there isn't telia.com in the main header.  It is in the internal
Received in the message body.  It seems that the original spam mail had the
forged sender address and bounce message delivered to my user.

I read that "sendmail.cf checks only "top level headers"
(http://groups.google.com/group/comp.mail.sendmail/browse_frm/thread/f...
1c96bf80b/e43880ae2f6bccde?tvc=1&q=sciurus).  But what does this maillog
record mean ( ruleset=CheckReceived ...reject=553 ...)?

Does it mean that sendmail.cf checks internal headers anyway but the result
doesn't matter for sendmail?

=> CORRECT!  Internal headers in MIME parts do get checked but their results
are not acted on.

Sometimes the same thing happens with other rulesets (CheckSubject,
CheckFrom, CheckHeader).  Now i use sendmail8.14.2 but it also hapened in
the previous
versions.