I'm alpha-testing my IP-address-based filter, and I may have to do
some rewriting. This may be somewhat of an RFC header question. It
seems that the last external IP address (before the email reaches my
ISP's system) is always surrounded by square brackets like so...
Received: from LLCAPP (llciis.logicallink.com [207.34.94.5])...
Is that a safe assumption to make? Will it be a safe assumption
for anyone else to make on their system? Further on down the headers,
I can actually see stuff like so...
Received: from llciis.logicallink.com(207.34.94.5) ...
Received: from cyqrd1p34.logicallink.com - 207.34.100.94 ...
...i.e. IP addresses surrounded by parentheses or spaces. This
is NOT forged spam headers, BTW. My automated procmail recipie
generator only goes after the final IP address that passed a spam to
my ISP. I don't assume that any further IP addresses are valid, as
spammers tend to forge header lines to try to cover their tracks.
--
Walter Dnes
waltdnes(_at_)interlog(_dot_)com