Andrew O. Smith - <aos(_at_)insync(_dot_)net> wrote:
What I'd like to do is come up with a recipe that'll detect these. I.e.
count the number of received headers and if there's only one, dump it. If
there's more than one, check to see which ones are just passing through my
local mail servers, and if none remain after eliminating those, dump it.
Any takers?
Versions of this have been working fine for me since the RapidFire stuff first
hit the fan. Change MYDOM_RE to match your domain, and place your choice of
actions in the final { }. You will also have to remove the comments from the
continuation and condition lines and convert the '\t's to tabs (I use a
preprocessor to filter this).
Of course, if mail is passed through more than one host inside your domain, as
it does for some, a different algorithm will be needed to isolate the proper
Received header. This handles the situation you described, and in which I
find myself for my Netcom account.
MYDOM_RE=[^x]\.netcom\.com ## for message-id checking, exclude ix.netcom.co
DIALUPS_RE="(\.\ ## NOTE check these often for possible misfires
(ipt\.aol|(dub|(hi|ar)l|sf)\.compuserve|dialup\.mindspring)\.com\
|(us\.ibm|(da|ms)\.uu\
|dial(-access\.att|sprint|up\.(earthlink|winco))\
|p(ub-ip\.psi|opi\.prodigy))\.net\
)"
:0 ## look for RapidFireMailSystem and
* 2^0 ## the ilk. Typically only one Rcvd
* -1^1 ^\/Received:.* ## header, from a dialup server to here,
* $ MATCH ?? from[ \t]+(\ ## containing
[0-9.]+\ ## just an ip address
|[-0-9a-z]+\ ## or name without dots
|[-0-9a-z.]+$DIALUPS_RE)\ ## or known dialup with leading subdoms
[ \t]+\(\/[-0-9a-z.]+[ \t] ## and trailing resolution with space
* $ ^Message-Id:.*$MYDOM_RE> ## and a local message-id
* MATCH ?? \\/[^ \t]+ ## (remove trailing space)
{ TEMPRULE=${TEMPRULE}R HIT="$HIT$LF*Matched $MATCH" } ## tag it
--
Rik Kabel Old enough to be an adult
rik(_at_)netcom(_dot_)com