Note: any time in here that I enumerate Received: headers or say that one
precedes or follows another, I mean those terms by order of their appearance
from top to bottom in the message header, not from the viewpoint of oldest
to newest. Thus "last" means bottommost (probably oldest), "after" means
below, "first" means topmost (probably newest), and "before" means above.
I'll try to avoid those terms because of their ambiguity, but I might not
succeed. I've chosen that perspective because that is how they'll appear
in multi-line procmail regexp conditions.
Harry had the seeds of his own answer in his two samples. In both cases,
the third Received: from the top documented the trip from worldnet to newsguy
and read as follows:
| Received: from mtiwgwc07.worldnet.att.net (mtiwgwc07.worldnet.att.net
[204.127.131.22])
| by newsguy.com (8.9.1a/8.9.1) with ESMTP id BAA64501
| for <reader(_at_)newsguy(_dot_)com>; Fri, 7 May 1999 01:11:27 -0700
(PDT)
and
| Received: from mtiwgwc07.worldnet.att.net (mtiwgwc07.worldnet.att.net
[204.127.131.22])
| by newsguy.com (8.9.1a/8.9.1) with ESMTP id FAA98798
| for <reader(_at_)newsguy(_dot_)com>; Sat, 8 May 1999 05:40:13 -0700
(PDT)
Both were received from worldnet (I wouldn't count on mtiwgwc07's always
being the machine at worldnet that does the forwarding, though) by newsguy
for reader(_at_)newsguy(_dot_)com(_dot_)
The only thing that remains to be distinguished is mail that originates on
worldnet, blind-carboned to reader(_at_)newsguy(_dot_)com, from mail sent to
readerx(_at_)worldnet(_dot_)att(_dot_)net and forwarded to
reader(_at_)newsguy(_dot_)com(_dot_) Harry, is that
a consideration for you? If not,
:0:
* ^Received:(.+$)+Received:(.+$)+Received:.*from \
([^ ]+\.)?worldnet\.att\.net.*by newsguy\.com.*for
<reader(_at_)newsguy(_dot_)com>;
* ! ^TO_reader(x(_at_)worldnet\(_dot_)att\(_dot_)net|@newsguy\.com)
blindcarbonedworldnetforwards
[Actually, that won't look for the long string only in the third Received:
header but on any Received: header from the third one on down. No harm.]
One snag is that it isn't really possible to tell whether mail originating on
worldnet and addressed to reader(_at_)newsguy(_dot_)com will have yet another
Received:
header below that one or not. For example, in Harry's first two samples, the
item from alaska.net had one more Received: header below and the one from
silcom.com had two. If we can be sure that mail originating on worldnet and
blind-carboned to reader(_at_)newsguy(_dot_)com will have no more Received:
headers
below, we can eliminate them by changing the second condition to this:
* ^Received:(.+$)+Received:(.+$)+Received:.*from \
([^ ]+\.)?worldnet\.att\.net.*by newsguy\.com.*for
<reader(_at_)newsguy(_dot_)com>;\
(.+$)+Received:
but if it sometimes has four or even more Received: headers, that's no help.