On Wed, Aug 28, 2002 at 12:48:14AM -0000, John Conover wrote:
Is there any way of detecting if *_ANY_* "Received: " record does
*_NOT_* have a local FQDN following the " from " tag in a sendmail(1)
produced e-mail header?
Anything can be detected. But not all MTAs are sendmail, and there ARE
valid Received line formats which do not conform to sendmail's format.
But I think what you'd want would be something more like:
COUNTReceived=`sed '/^$/q' | grep -c '^Received:'`
# Don't bother analysing local mail (adjust for your LDA)
:0
* COUNTReceived ?? ^1$
* ^From:
* ^To:
* ^Received: (from [a-z0-9]+(_at_)localhost
{ SWITCHRC=/dev/null }
# Catch anything that tries to appear local but isn't
:0
* ^From:
* ! ^(From|Return-Path):.*@
* ^Received:.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
{
# From address is atless
:0 fhw
* !$ ^Received:.*($LOGNAME|root)@localhost
| formail -A "X-spam: invalid return address (1-no @ symbol, but came
from offsite)"
# From address is badly formatted
:0 fhw
* !$ ^Received:.*($LOGNAME|root)@localhost
* !
^From:.*[a-z][a-z0-9_.:-]+@([a-z0-9][a-z0-9.-]*\.)+(com|net|org|edu|int|mil|gov|biz|info|name|[a-z][a-z])\>
| formail -A "X-spam: invalid return address (2-address format error)"
}
:0 fhw
* ! COUNTReceived ?? ^[01]$
* ^From:[^(_at_)]+$
* ^To:[^(_at_)]+$
| formail -A "X-spam: too many Received lines for local mail"
MYDOMAIN=`hostname`
:0
* MYDOMAIN ??
[a-z]+[a-z0-9-]+\.\/[a-z]+[a-z0-9-]+\.(com?|net?|org?|biz|info)(\.([a-z][a-z]))?$
{ MYDOMAIN=$MATCH }
:0 E
* MYDOMAIN ??
[a-z]+[a-z0-9-]+\.\/[a-z]+[a-z0-9-]+(\.(bc|ab|sk|mb|on|qc|pe|ns|nf))?\.ca$
{ MYDOMAIN=$MATCH }
# Adjust the range to suite your expectations.
:0 fhw
* MYDOMAIN ?? .+
* COUNTReceived ?? ^[3-9]
* $ ^Message-ID:.+@(.+\.)?$MYDOMAIN>
| formail -A "X-spam: too many Received lines for local Message-ID (probably
forged)"
It ain't perfect, but it may serve your needs, or at least act as a
starting point for your own rules. If you come up with anything better,
please share. :)
--
Paul Chvostek
<paul(_at_)it(_dot_)ca>
Operations / Abuse / Whatever +1 416 598-0000
it.canada - hosting and development http://www.it.ca/
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail