If that's correct, then you need to ignore the topmost Received: header
and grab the ip from the second one, but your regular expression always
matches the first. You either need to come up with a regular expression
that doesn't match Received: 2MX -> 1MX or, probably easier, use 2
conditions - one scored. Pseudo-code only since I don't have an example
of the headers in question.
I actually like your first suggestion better. It was kinda what I was trying
to do but couldn't get it to match. Here's some example headers. These guys
spam me all the time; these two sets are from a single spam run of theirs. One
went directly to the primary and was blocked; the other went through the
secondary and got through. Here's the first one, which was caught:
From unsub(_at_)artaddiction(_dot_)com Mon Mar 31 09:21:02 2003
Return-Path: <unsub(_at_)artaddiction(_dot_)com>
X-Original-To: hurrahnick(_at_)unknown(_dot_)nu
Delivered-To: sluggo(_at_)unknown(_dot_)nu
Received: from mail1.artmarket.com (mail1.artmarket.com [194.242.43.182])
by jinx.unknown.nu (Postfix) with ESMTP id AB74243
for <hurrahnick(_at_)unknown(_dot_)nu>; Mon, 31 Mar 2003 09:21:00 -0500
(EST)
From: Performing Art <unsub(_at_)artaddiction(_dot_)com>
To: <hurrahnick(_at_)unknown(_dot_)nu>
Subject: Matthew Barney
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <20030331142100(_dot_)AB74243(_at_)jinx(_dot_)unknown(_dot_)nu>
Date: Mon, 31 Mar 2003 09:21:00 -0500 (EST)
And here's the second, which wasn't:
From unsub(_at_)artaddiction(_dot_)com Mon Mar 31 09:09:31 2003
Return-Path: <unsub(_at_)artaddiction(_dot_)com>
X-Original-To: walnuttangent(_at_)unknown(_dot_)nu
Delivered-To: sluggo(_at_)unknown(_dot_)nu
Received: from astro.snellfamily.com (astro.snellfamily.com [192.148.252.20])
by jinx.unknown.nu (Postfix) with ESMTP id BC8D84B
for <walnuttangent(_at_)unknown(_dot_)nu>; Mon, 31 Mar 2003 09:09:31
-0500 (EST)
Received: from mail1.artmarket.com (mail1.artmarket.com [194.242.43.186])
by astro.snellfamily.com (Postfix) with ESMTP id B728A3003F
for <walnuttangent(_at_)unknown(_dot_)nu>; Mon, 31 Mar 2003 09:09:27
-0500 (EST)
From: Performing Art <unsub(_at_)artaddiction(_dot_)com>
To: <walnuttangent(_at_)unknown(_dot_)nu>
Subject: Matthew Barney
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id:
<20030331140927(_dot_)B728A3003F(_at_)astro(_dot_)snellfamily(_dot_)com>
Date: Mon, 31 Mar 2003 09:09:27 -0500 (EST)
So yeah, I just need a recipe that says "look at the first received header and
grab the IP, unless it comes from ${BACKUPHOST} (which I'll set to
"astro.snellfamily.com" earlier in the rcfile), in which case look at the
second received header". It sounds easy, but I can't seem to get it to work.
Of course, I don't think I really thought about it in exactly these terms
before. It's nice how talking about this stuff with people clarifies it in
your own head.
--
----------------------------------------------------------------------------
Kim Scarborough http://www.unknown.nu/kim/
----------------------------------------------------------------------------
"Most rock journalism is people who can't write interviewing people who
can't talk for people who can't read."
-Frank Zappa
----------------------------------------------------------------------------
Now listening to: Sun Ra - "Reflections In Blue"
----------------------------------------------------------------------------
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail