On 1 Apr, Kim Scarborough wrote:
| > If that's correct, then you need to ignore the topmost Received: header
| > and grab the ip from the second one, but your regular expression always
| > matches the first. You either need to come up with a regular expression
| > that doesn't match Received: 2MX -> 1MX or, probably easier, use 2
| > conditions - one scored. Pseudo-code only since I don't have an example
| > of the headers in question.
|
| I actually like your first suggestion better. It was kinda what I was trying
| to do but couldn't get it to match. Here's some example headers. These guys
| spam me all the time; these two sets are from a single spam run of theirs.
One
| went directly to the primary and was blocked; the other went through the
| secondary and got through. Here's the first one, which was caught:
|
| > From unsub(_at_)artaddiction(_dot_)com Mon Mar 31 09:21:02 2003
| > Return-Path: <unsub(_at_)artaddiction(_dot_)com>
| > X-Original-To: hurrahnick(_at_)unknown(_dot_)nu
| > Delivered-To: sluggo(_at_)unknown(_dot_)nu
| > Received: from mail1.artmarket.com (mail1.artmarket.com [194.242.43.182])
| > by jinx.unknown.nu (Postfix) with ESMTP id AB74243
| > for <hurrahnick(_at_)unknown(_dot_)nu>; Mon, 31 Mar 2003 09:21:00
-0500 (EST)
| > From: Performing Art <unsub(_at_)artaddiction(_dot_)com>
| > To: <hurrahnick(_at_)unknown(_dot_)nu>
| > Subject: Matthew Barney
| > MIME-Version: 1.0
| > Content-Type: text/html; charset=iso-8859-1
| > Content-Transfer-Encoding: 8bit
| > Message-Id: <20030331142100(_dot_)AB74243(_at_)jinx(_dot_)unknown(_dot_)nu>
| > Date: Mon, 31 Mar 2003 09:21:00 -0500 (EST)
|
| And here's the second, which wasn't:
|
| > From unsub(_at_)artaddiction(_dot_)com Mon Mar 31 09:09:31 2003
| > Return-Path: <unsub(_at_)artaddiction(_dot_)com>
| > X-Original-To: walnuttangent(_at_)unknown(_dot_)nu
| > Delivered-To: sluggo(_at_)unknown(_dot_)nu
| > Received: from astro.snellfamily.com (astro.snellfamily.com
[192.148.252.20])
| > by jinx.unknown.nu (Postfix) with ESMTP id BC8D84B
| > for <walnuttangent(_at_)unknown(_dot_)nu>; Mon, 31 Mar 2003
09:09:31 -0500 (EST)
| > Received: from mail1.artmarket.com (mail1.artmarket.com [194.242.43.186])
| > by astro.snellfamily.com (Postfix) with ESMTP id B728A3003F
| > for <walnuttangent(_at_)unknown(_dot_)nu>; Mon, 31 Mar 2003
09:09:27 -0500 (EST)
| > From: Performing Art <unsub(_at_)artaddiction(_dot_)com>
| > To: <walnuttangent(_at_)unknown(_dot_)nu>
| > Subject: Matthew Barney
| > MIME-Version: 1.0
| > Content-Type: text/html; charset=iso-8859-1
| > Content-Transfer-Encoding: 8bit
| > Message-Id:
<20030331140927(_dot_)B728A3003F(_at_)astro(_dot_)snellfamily(_dot_)com>
| > Date: Mon, 31 Mar 2003 09:09:27 -0500 (EST)
|
The first suggestion - one regular expression condition - is a lot more
difficult at best, and maybe impossible at worst, without something
like positive/negative look aheads. The second is simple to implement.
So jinx.unknown.nu is primary mx and astro.snellfamily.com is secondary.
:0
* 1^1 ^\/Received:.*
* ! MATCH ?? from astro\.snellfamily\.com.*by jinx\.unknown\.nu
To test, put it in a testrc file and add immediately after the second
conition:
{
LOG = "$MATCH
"
}
then run a couple of messages like: procmail ./testrc <test_msg and
verify that it's spitting out the correct header. If you also set
VERBOSE=yes (without setting LOGFILE) in testrc, you should see on your
terminal that the score is 1 when delivered to primary mx and 2 when
delivered to secondary, i.e. the 2 conditions are matching the 1st or
2nd Received: header as appropriate.
--
Email address in From: header is valid * but only for a couple of days *
This is my reluctant response to spammers' unrelenting address harvesting
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail