Info from veeery long ago because I have been out of this stuff for over a decade:

The release will have an .sfv file with a CRC32 checksum for each rar file.

The FTP server checks them after the upload completes. Back in the day glftpd with zipscript was a very popular tool to manage an FTP site. This Readme sums it up well: https://github.com/pzs-ng/pzs-ng

The sfv can be tampered with but the propagation of releases to FTPs happens very fast, within minutes. It would take you longer to meaningfully alter it than it takes the racers to distribute the original files. And once the release is completely uploaded you can't modify the files anymore.

If the release is bad, for example if it doesn't work at all or if it contains a virus, then it simply gets nuked. This propagates within minutes.

It's not a scene release. You know a release isn't tainted when you grab it from the source...