procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Received: from... IP address format??

1997-12-18 22:57:50
from [Walter Dnes] [Permanent Link] 
Philip Guenther wrote:


Okay, neither of us are correct: you want the last one that
you're sure was generated by your ISP, so that someone can't forge
a Received: header that looks like it was inserted by your ISP and
that contains an innocuous IP.  With some ISPs there aren't any
internal hops, and the above will work.  With others, the 'gateway'
hosts all match some pattern of hostname

  My question was about the IP address format only.  It looks like *I*
can use my current format of "[nnn.nnn.nnn", although I should get
rid of the "[" if I want to post the method in a web page for other
users in general.
  However, it's nice to know that other people on this list agree with
my general algorithm.  My ISP is "interlog.com", but sometimes there
is an internal mail machine inside "interlog" in the headers.  Two
examples from my spam-header log file (ignore first 3 lines) are...

////////////////////////////////////////01
procmail: Kernel-lock failed

From 75641_68(_at_)zipp-ppo(_dot_)com  Wed Dec 17 21:10:06 1997

Received: from ns7.cyberserverscentral.com ([208.223.112.7])
        by gold.interlog.com (8.8.5/8.8.5) with ESMTP id VAA29509;
        Wed, 17 Dec 1997 21:09:58 -0500 (EST)

////////////////////////////////////////01
procmail: Kernel-lock failed

From taxman(_at_)venus(_dot_)gmds(_dot_)com  Thu Dec 11 21:22:52 1997

Received: from mx2.mail.interlog.net 
(root(_at_)mx2(_dot_)mail(_dot_)interlog(_dot_)net
[198.53.145.12])
        by gold.interlog.com (8.8.5/8.8.5) with ESMTP id VAA04677;
        Thu, 11 Dec 1997 21:22:50 -0500 (EST)
From: taxman(_at_)venus(_dot_)gmds(_dot_)com
Received: from mercury.gmds.com (root(_at_)[206(_dot_)98(_dot_)109(_dot_)20])
        by mx2.mail.interlog.net (8.8.5/8.8.5) with ESMTP id VAA16417;
        Thu, 11 Dec 1997 21:05:10 -0500 (EST)

  That's right folks; "interlog.com" *AND* "interlog.net".  My control
file specifies the string ".interlog." to indicate machines internal to
my ISP's system.  BTW, I think that you and Aaron are both talking about
the same thing but using a different language<g>.  It's the *FIRST*
external system "Received: from" header if you read the file from the
top down, or the *LAST* if you use chronological sequence (i.e. from the
bottom up).  That always seems to create confusion.
  I find that specifying addresses that I'll allow is a very good
filter, but one or so per month gets through.  It's that last little bit
I'm going after.  And if spammers ever do figure out how get each spam
message addressed "To: <my-real-email-id>" rather than obvious stuff
like "To: friend(_at_)public(_dot_)com", then IP-address-based blocking will be 
all
that's left.
  I'm harvesting spam headers to a log file, and using that file and an
offline "roboproc" program to generate a .procmailrc.  I do *NOT* have
procmail figure out the the "first/last" <g> external header.  That's
an unnecessary load on the system.  I download and clean out the spam
logfile every so often and have a program on my home machine parse out
headers in a brute-force line-by-line approach.  I use QBASIC, because
I know it, it's quick-n-dirty, and it's free on my system.  If my home
machine was unix, I'd probably have learned perl/awk/python or whatever.
Anyways, the last part of my generated "roboproc" is...

##################### Start snippet
:0: notspam.lock
* !^Received:.from.*\[24\.92\.0\.
* !^Received:.from.*\[24\.92\.32\.
* !^Received:.from.*\[24\.112\.126\.
* !^Received:.from.*\[128\.125\.253\.
 etc, etc, etc; currently 110 lines and growing
 as the spammers keep feeding more machines
* !^Received:.from.*\[209\.63\.23\.
* !^Received:.from.*\[209\.136\.73\.
* !^Received:.from.*\[209\.136\.134\.
$DEFAULT

LOG="////////////////////////////////////////02
"

:0hc: phase2.lock
$LOGFILE

:0: rejects2.lock
$BACKUPFILE
##################### End snippet

  $LOGFILE contains spam headers, and $BACKUPFILE is a just-in-case
backup.  I use a control file to add constant information, including
my ISP, "trusted domains" (e.g. mailing lists) that I don't want
blocked regardless of spam being sent, and miscellaneous stuff like
formail recipies to...
  1) kill duplicates and...
  2) replace the "Reply-To:" header in messages from this group with
     "Reply-To: procmail(_at_)informatik(_dot_)RWTH-Aachen(_dot_)DE", so that I 
can
     simply hit "reply" 99% of the time<g>.

-- 
Walter Dnes
waltdnes(_at_)interlog(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: no spam please, William J. Evans; mail protected by spamgard{tm}
Next by Date:  Re: Scoring and $=, Philip Guenther
Previous by Thread:  Re: Received: from... IP address format??, Philip Guenther
Next by Thread:  Simple auto-reply recipe in ``man procmailex'' does not work, Martin Steffen
Indexes:  [Date] [Thread] [Top] [All Lists]