In the drilldown section, a received entry describes received headers that will contain IPs that should be ignored as infrastructure. This allows SNF + GBUdb to learn new friendly IPs automatically. Candidate message sources that match drilldown received header directives are eligible to be ignored.

A drilldown received header directive designed to match servers in a particular IP block (12.34.56.0/24) might look like this:

<received ordinal='0' find='[12.34.56.'/> 

The attribute ordinal='0' indicates that the pattern must match the top most received header.

The attribute find='[12.34.56.' indicates that the string [12.34.56. must appear in the received header. Typically this would be the connecting IP. Since all IPs in that block will match that string, then any message originating in that block will match this pattern.

Large ISPs might send both good and bad messages for many reasons. It helps to be able to see past the ISPs servers to the original message source. A drilldown received header directive designed to match servers from an ISP might look like this:

<received ordinal='0' find='mixed-source.com'/>  

The attribute find='mixed-source.com' indicates that the string mixed-source.com must appear in the received header. Normally this would be part of the PTR record looked up by the local MTA when the mixed-source server connected.

Please email support@armresearch.com with any questions.