Gary skribis:
You can use your own handmade RBL
lists, and also have these call to standard ORBS / spamcop, etc. lists
from the web, RBL lists which will add their current IP blocks
automatically, thereby eliminating your need to look up every header for
IP addresses to add to procmail. My point is why re-invent the wheel.
My ISP's DNSBL-check uses these servers:
proxies.relays.monkeys.com
relays.osirusoft.com
inputs.relays.osirusoft.com
proxies.relays.osirusoft.com
socks.relays.osirusoft.com
bl.spamcop.net
relays.ordb.org
blackholes.wirehub.net
dynablock.wirehub.net
nlspam.rbl.cluecentral.net
formmail.relays.monkeys.com
spews.relays.osirusoft.com
cn.rbl.cluecentral.net
jp.rbl.cluecentral.net
kr.rbl.cluecentral.net
sg.rbl.cluecentral.net
tw.rbl.cluecentral.net
korea.services.net
opm.blitzed.org
list.dsbl.org
multihop.dsbl.org
sbl.spamhaus.org
All messages that fail that test are (by option) marked with a special
header. I could have those messages thrown away at the ISP's end as well,
but not all BL-s are perfect (most are).
The messages that don't get marked, are checked against my own IP-blocklist,
by harvesting the IP-nrs from all Received-headers and using only the
first and second part (1.2.x.x, so 16 bits).
I just checked: the last 2 days 72 were marked by my ISP and 8 were found
by my own list. All of the 72 were spam, only 3 of the 8 were spam. These
last 3 I forward in a single message (as attachments) to spamcop, after
which they reply with URLs to complete the reporting, which takes only a
few minutes every few days (although sooner reporting is much better
and you get these "Yum, this spam is fresh" rewards).
Three spam-messages still came through. One was a client from my own ISP,
which had only one Received-header, that was interesting:
Received: from [10.0.0.150] (a213-84-33-60.adsl.xs4all.nl [213.84.33.60])
by smtpzilla1.xs4all.nl (8.12.0/8.12.0) with SMTP id h0808ETa046684
for <xxx>; Wed, 8 Jan 2003 01:08:14 +0100 (CET)
Interesting because my regexp matched the [10.0.0.150] and not
the [213.84.33.60] and since [10.x.x.x] is local, that one was
not used.
My IP-harvester:
(see <URL:http://www.xs4all.nl/~rvtol/procmailrc.txt>)
QUAD1="0*([1-9][0-9]?|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"
QUADn="0*([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"
IP=$QUAD1[.]$QUADn[.]$QUADn[.]$QUADn
REGEXP="Received:"
MATEXP=$REGEXP".*[^0-9.]\[\/$IP"
:0
* $ ^\/$REGEXP(.+$)*$REGEXP.+$
{
HEADERLINES = $MATCH
INCLUDERC = $HOME/XIP.rc
}
The XIP.rc includes itself until all (consecutive) Received-headers are
done. The result is collected in $XIP as "[ip#1][ip#2]..[ip#n]"
If you're interested, find it at the mentioned URL (search for XIP.rc, then
search again).
What I have to add now is to enable it to collect more than 1 IP-nr from a
Received-header (into $XIP). Or to at least pick the right one. Anyone any
ideas?
Another question: who knows a good (or funny) way to convert such an IP-nr
to formatted ones-and-zeroes *with procmail only*. Example: [245.123.27.134]
(that is [F57B1B86]) turns into: [1111-0101.0111-1011.0001-1011.1000-0110].
All that of course to be able to compare some /20-block as well. For that
the step to hexadecimal is already OK, because the next step is trivial.
But now off to report the 5 spammers. (hey, wasn't that 6?)
--
Affijn, Ruud
Easy people don't care too much.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail