Here's my first release candidate for a functional filter
that uses the DNS-based block-lists. I've included the 4
best-known lists for completeness. You may want to use
only one or two of them or you may want to add another one
altogether. (Have I missed any?). Comments, especially
suggestions for improvement/optimization are invited.
The filter requires one customization. You have to enter
your ISP's domain name into the MYISP varaiable, i.e.
everything to the right of the @-sign. Virtual domains
please note... your ISP's domain. If you are
"joeuser(_at_)fubar(_dot_)tld" you would enter...
MYISP="fubar\.tld"
Regexp special characters like periods should be escaped.
Since my ISP, Interlog owns both "interlog.com" and
"interlog.net" domains, I have to include them both in
the MYISP variable, as in the example below.
The algorithm to pick up the hand-off from the external
ISP to your ISP is to look for a "Received: from" line
which satisfies the 2 conditions...
1) It is received *BY* your ISP
2) It is *NOT* received *FROM* your ISP
Note that this will also *NOT* match another user at
your ISP sending an email to you. This is correct
behaviour, because your ISP's mailserver will be
*LEGITIMATELY* receiving email direct from the other
party. You do *NOT* want to filter a dial-up at your
ISP against DUL or DSSL <g>.
After some experimentation, I decided to walk down
the chain of "Received: from" headers. This is generally
quicker, and also protects against forged headers
inserted by spamware further down the chain.
Notes:
1) MAPS/DUL uses IP 127.0.0.3 rather than 127.0.0.2
like the other services. (127.0.0.2 is probably spoken
for by MAPS/RBL on their system).
2) The following 3 matches put the 1st, 2nd, and 3rd
"Received: from" headers (respectively) into the MATCH
variable...
* ()\/Received: from.*
* ^Received: from(.*$)+\/Received: from.*$
* ^Received: from(.*$)+Received: from(.*$)+\/Received: from.*$
The logic flow is as follows...
- initialize MYISP and IPEXTERNAL variables
- load first "Received: from" header
- check whether, it's the external hand-off header; if
so load the external machine's IP address into var
IPEXTERNAL
- if IPEXTERNAL isn't been set from the 1st "Received: from"
header, repeat the same checks on the 2nd
- if IPEXTERNAL hasn't been set yet, repeat the same
checks on the 3rd "Received: from" header
This handles up to 2 internal hand-offs. If your email
traverses a "bucket-brigade", more lines could be added.
If after all this, IPEXTERNAL hasn't been set, forget
it.
- If IPEXTERNAL has a dotted quad, the next step is to
decompose it into individual pieces and reverse the
order as expected by DNS lookups.
- Now feed the reversed dotted quad plus the blocklist
nameserver name into nslookup. The back-quote is a
unix shell command to capture the output of the
quoted command into the specified string-var.
- If the string-var contains the string "127.0.0.2"
("127.0.0.3" for MAPS/DUL) insert an explanatory
"X-Reject:" header into the message.
- At the very end, check for "X-Reject:" headers; if
found, divert the email.
W H E W !
################### BEGIN BLOCKLIST RECIPE ###################
MYISP="interlog\.(com|net)"
IPEXTERNAL="XXXXXX"
:0
* ()\/Received: from.*
{ TEST=${MATCH}
:0
*$ TEST ?? Received: from.*\[.*\].*by.*${MYISP}
*$! TEST ?? Received: from.*${MYISP}.*\[.*\]
*$ TEST ?? Received:.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
{ IPEXTERNAL=$MATCH }}
:0
* IPEXTERNAL ?? XXXXXX
* ^Received: from(.*$)+\/Received: from.*$
{ TEST=${MATCH}
:0
*$ TEST ?? Received: from.*\[.*\].*by.*${MYISP}
*$! TEST ?? Received: from.*${MYISP}.*\[.*\]
*$ TEST ?? Received:.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
{ IPEXTERNAL=$MATCH }}
:0
* IPEXTERNAL ?? XXXXXX
* ^Received: from(.*$)+Received: from(.*$)+\/Received: from.*$
{ TEST=${MATCH}
:0
*$ TEST ?? Received: from.*\[.*\].*by.*${MYISP}
*$! TEST ?? Received: from.*${MYISP}.*\[.*\]
*$ TEST ?? Received:.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
{ IPEXTERNAL=$MATCH }}
:0
*$!IPEXTERNAL ?? XXXXXX
* IPEXTERNAL ?? ()\/[0-9]+
{ QUAD1=$MATCH
:0
* IPEXTERNAL ?? [0-9]+\.\/[0-9]+
{ QUAD2=$MATCH
:0
* IPEXTERNAL ?? [0-9]+\.[0-9]+\.\/[0-9]+
{ QUAD3=$MATCH
:0
* IPEXTERNAL ?? [0-9]+\.[0-9]+\.[0-9]+\.\/[0-9]+
{ REVERSED="${MATCH}.${QUAD3}.${QUAD2}.${QUAD1}"
NSLOOKUP=`nslookup ${REVERSED}.mr-out.imrss.org`
:0fh
*$ NSLOOKUP ?? 127\.0\.0\.2
| formail -A "X-Reject: IP $IPEXTERNAL is in DSSL."
NSLOOKUP=`nslookup ${REVERSED}.dul.maps.vix.com`
:0fh
*$ NSLOOKUP ?? 127\.0\.0\.3
| formail -A "X-Reject: IP $IPEXTERNAL is in DUL."
NSLOOKUP=`nslookup ${REVERSED}.relays.orbs.org`
:0fh
*$ NSLOOKUP ?? 127\.0\.0\.2
| formail -A "X-Reject: IP $IPEXTERNAL is in ORBS."
NSLOOKUP=`nslookup ${REVERSED}.rbl.maps.vix.com`
:0fh
*$ NSLOOKUP ?? 127\.0\.0\.2
| formail -A "X-Reject: IP $IPEXTERNAL is in RBL."
}}}}
:0
* ^X-Reject:
junkmail
#################### END BLOCKLIST RECIPE ####################
--
Walter Dnes <waltdnes(_at_)interlog(_dot_)com> procmail spamfilter
http://www.interlog.com/~waltdnes/spamdunk/spamdunk.htm
Why a fiscal conservative opposes Toronto 2008 OWE-lympics
http://www.interlog.com/~waltdnes/owe-lympics/owe-lympics.htm