Excerpts from mail: (05-Nov-97) Re: Received: headers after From: by David W
Tamkin
Stan Ryckman corrected my response to Gary Sutter:
Huh? Both of you guys would pick off all mail containing both From: and
Received: headers, I think, and that's most mail. The request was for
Received: *after* From: (which, while it doesn't indicate spam
specifically, generally shows up in mail sent originally without From: and
which has had that header added later using the envelope).
Thanks to Stan for catching that. He's absolutely right ... I
overlooked Gary's subject and text to go by his suggested code, which
would operate on any mail with both From: and Received:; as Stan said,
that's virtually all mail.
I think you want something like:
:0
* ^From:.*^+Received:
{ ACTION }
(does that work as written though?)
Almost:
* ^From:(.+^)+Received:
Unfortunately, nobody has yet posted the solution to Greg's original request
specifically: How does one get rid of all Received: headers that come after a
From: header? Of course, it's highly debatable whether one should do this or
not. Legitimate e-mail can be sent without a From: header and most versions
of sendmail will add a From: header based on the envelope if there isn't
already a From: header. In circumstances like this, the Received: headers
that come after the From: header are valid and potentially useful. On the
other hand, these days your more likely to be dealing with spam with faked
Received: headers than with legitimate e-mail, so I'll leave it up to you
whether this is a worthwhile thing to do or not. Anyway, the procmail-only
solution to this problem uses a recursive INCLUDERC. (Check out
archive/latest/14033 and archive/latest/14791 and their related threads in
the procmail archives if you want some back history on this topic.)
In your .procmailrc, put the following:
#--------------------------------------------------------------------------
# You might want to increase LINEBUF beyond the default size.
:0
* ^From:(.*$)+Received:
* $ < ${LINEBUF}
* ^^\/(.*$)+
{
HEADERLINES = $MATCH
AFTERFROM = 0
NEWHEADER = ""
INCLUDERC = received-after-from.rc
:0hfwi
* AFTERFROM ?? ^^2^^
* NEWHEADER ?? .
| echo "$NEWHEADER"
}
#--------------------------------------------------------------------------
Then, in the file received-after-from.rc:
#--------------------------------------------------------------------------
:0
* HEADERLINES ?? ^^(.*$)\/(.*$)+
{ REMAININGLINES = $MATCH }
:0E
{ REMAININGLINES }
:0
* HEADERLINES ?? ^^\/.*$
{ THISLINE = $MATCH }
:0E
{ THISLINE }
:0
* AFTERFROM ?? ^^[12]^^
* THISLINE ?? ^Received:
{
THISLINE = ""
AFTERFROM = 2
}
:0E
* AFTERFROM ?? ^^0^^
* THISLINE ?? ^From:
{ AFTERFROM = 1 }
NEWHEADER = "$NEWHEADER$THISLINE"
# Now recurse if there are any remaining lines.
:0
* REMAININGLINES ?? .
{
HEADERLINES = $REMAININGLINES
INCLUDERC = $_
}
#--------------------------------------------------------------------------
Caveat reader: I haven't tested the above code specifically, but it is
largely based on code that I have tested and used. Also, you need procmail
version 3.11pre5 or higher or else procmail will strip the newlines from the
end of MATCHes.
Later,
Ed