procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

DSSL/DUL/ORBS/RBL filter under procmail

1999-04-12 22:36:35
from [Walter Dnes] [Permanent Link] 
  Here's my first release candidate for a functional filter
that uses the DNS-based block-lists.  I've included the 4
best-known lists for completeness.  You may want to use
only one or two of them or you may want to add another one
altogether. (Have I missed any?).  Comments, especially
suggestions for improvement/optimization are invited.
  The filter requires one customization.  You have to enter
your ISP's domain name into the MYISP varaiable, i.e.
everything to the right of the @-sign.  Virtual domains
please note... your ISP's domain.  If you are
"joeuser(_at_)fubar(_dot_)tld" you would enter...

MYISP="fubar\.tld"

Regexp special characters like periods should be escaped.
Since my ISP, Interlog owns both "interlog.com" and
"interlog.net" domains, I have to include them both in
the MYISP variable, as in the example below.

  The algorithm to pick up the hand-off from the external
ISP to your ISP is to look for a "Received: from" line
which satisfies the 2 conditions...
  1) It is received *BY* your ISP
  2) It is *NOT* received *FROM* your ISP
  Note that this will also *NOT* match another user at
your ISP sending an email to you.  This is correct
behaviour, because your ISP's mailserver will be
*LEGITIMATELY* receiving email direct from the other
party.  You do *NOT* want to filter a dial-up at your
ISP against DUL or DSSL <g>.
  After some experimentation, I decided to walk down
the chain of "Received: from" headers.  This is generally
quicker, and also protects against forged headers
inserted by spamware further down the chain.

  Notes:
  1) MAPS/DUL uses IP 127.0.0.3 rather than 127.0.0.2
like the other services.  (127.0.0.2 is probably spoken
for by MAPS/RBL on their system).

  2) The following 3 matches put the 1st, 2nd, and 3rd
"Received: from" headers (respectively) into the MATCH
variable...
* ()\/Received: from.*
* ^Received: from(.*$)+\/Received: from.*$
* ^Received: from(.*$)+Received: from(.*$)+\/Received: from.*$

  The logic flow is as follows...
  - initialize MYISP and IPEXTERNAL variables
  - load first "Received: from" header
  - check whether, it's the external hand-off header; if
    so load the external machine's IP address into var
    IPEXTERNAL
  - if IPEXTERNAL isn't been set from the 1st "Received: from"
    header, repeat the same checks on the 2nd
  - if IPEXTERNAL hasn't been set yet, repeat the same
    checks on the 3rd "Received: from" header
  This handles up to 2 internal hand-offs.  If your email
traverses a "bucket-brigade", more lines could be added.

  If after all this, IPEXTERNAL hasn't been set, forget
it.
  - If IPEXTERNAL has a dotted quad, the next step is to
    decompose it into individual pieces and reverse the
    order as expected by DNS lookups.
  - Now feed the reversed dotted quad plus the blocklist
    nameserver name into nslookup.  The back-quote is a
    unix shell command to capture the output of the
    quoted command into the specified string-var.
  - If the string-var contains the string "127.0.0.2"
    ("127.0.0.3" for MAPS/DUL) insert an explanatory
    "X-Reject:" header into the message.
  - At the very end, check for "X-Reject:" headers; if
    found, divert the email.

  W H E W !

################### BEGIN BLOCKLIST RECIPE ###################
MYISP="interlog\.(com|net)"
IPEXTERNAL="XXXXXX"

:0
* ()\/Received: from.*
{ TEST=${MATCH}
  :0
  *$  TEST ?? Received: from.*\[.*\].*by.*${MYISP}
  *$! TEST ?? Received: from.*${MYISP}.*\[.*\]
  *$  TEST ?? Received:.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    { IPEXTERNAL=$MATCH }}

:0
* IPEXTERNAL ?? XXXXXX
* ^Received: from(.*$)+\/Received: from.*$
{ TEST=${MATCH}
  :0
  *$  TEST ?? Received: from.*\[.*\].*by.*${MYISP}
  *$! TEST ?? Received: from.*${MYISP}.*\[.*\]
  *$  TEST ?? Received:.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    { IPEXTERNAL=$MATCH }}

:0
* IPEXTERNAL ?? XXXXXX
* ^Received: from(.*$)+Received: from(.*$)+\/Received: from.*$
{ TEST=${MATCH}
  :0
  *$  TEST ?? Received: from.*\[.*\].*by.*${MYISP}
  *$! TEST ?? Received: from.*${MYISP}.*\[.*\]
  *$  TEST ?? Received:.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    { IPEXTERNAL=$MATCH }}

:0
*$!IPEXTERNAL ?? XXXXXX
*  IPEXTERNAL ?? ()\/[0-9]+
{ QUAD1=$MATCH
:0
*  IPEXTERNAL ?? [0-9]+\.\/[0-9]+
{ QUAD2=$MATCH
:0
*  IPEXTERNAL ?? [0-9]+\.[0-9]+\.\/[0-9]+
{ QUAD3=$MATCH
:0
*  IPEXTERNAL ?? [0-9]+\.[0-9]+\.[0-9]+\.\/[0-9]+
{ REVERSED="${MATCH}.${QUAD3}.${QUAD2}.${QUAD1}"

  NSLOOKUP=`nslookup ${REVERSED}.mr-out.imrss.org`
  :0fh
  *$ NSLOOKUP ?? 127\.0\.0\.2
  | formail -A "X-Reject: IP $IPEXTERNAL is in DSSL."

  NSLOOKUP=`nslookup ${REVERSED}.dul.maps.vix.com`
  :0fh
  *$ NSLOOKUP ?? 127\.0\.0\.3
  | formail -A "X-Reject: IP $IPEXTERNAL is in DUL."

  NSLOOKUP=`nslookup ${REVERSED}.relays.orbs.org`
  :0fh
  *$ NSLOOKUP ?? 127\.0\.0\.2
  | formail -A "X-Reject: IP $IPEXTERNAL is in ORBS."

  NSLOOKUP=`nslookup ${REVERSED}.rbl.maps.vix.com`
  :0fh
  *$ NSLOOKUP ?? 127\.0\.0\.2
  | formail -A "X-Reject: IP $IPEXTERNAL is in RBL."
}}}}

:0
* ^X-Reject:
junkmail
#################### END BLOCKLIST RECIPE ####################

-- 
Walter Dnes <waltdnes(_at_)interlog(_dot_)com> procmail spamfilter
http://www.interlog.com/~waltdnes/spamdunk/spamdunk.htm
Why a fiscal conservative opposes Toronto 2008 OWE-lympics
http://www.interlog.com/~waltdnes/owe-lympics/owe-lympics.htm
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • DSSL/DUL/ORBS/RBL filter under procmail, Walter Dnes <=
Previous by Date:  Unidentified subject!, Robert Lu
Next by Date:  script for .procmailrc, Giuseppe Macario
Previous by Thread:  Unidentified subject!, Robert Lu
Next by Thread:  script for .procmailrc, Giuseppe Macario
Indexes:  [Date] [Thread] [Top] [All Lists]