procmail
[Top] [All Lists]

Re: Using Procmail for RBL Blacklists

2003-04-07 10:50:05
On Mon, Apr 07, 2003 at 12:47:43PM -0400, Don Hammond wrote:

1. There's no need to include "Received:.*" in the nested condition.

Good catch.

2. I have some Received: headers that enclose the ip number with
parentheses instead of brackets (qmail, maybe?). I also have a shell
script that looks at Received: headers, used before plonking netblocks
in sendmail's access.db. It allows for spaces enclosing the ip. It
was a while ago, but I did extensive testing because of the critical
nature of the script; and though I can't find one in my inbox, I'm
sure I saw some ip numbers delimited that way.  (That's not to say
it's rfc compliant. I don't know either way, but enforcing that isn't
my purpose.)

Given all that, I'd rewrite the regular expression to allow the ip to
be enclosed with space, paren, or bracket.

I don't know that I'd do so.  The ones that use a paren or no bracket
at all are, in my observation, almost always intrasite, e.g., from
a local host to a local mail server with, as you speculated, qmail
or whatever.  The RFCs call for brackets, is my understanding, for
any across-IP broadcasting.

That said, of course many spammers forge Receiveds, and badly, at that.
But those won't likely be in the top two Receiveds in the chain.
And if we do snag a forgery, what are we going to do with it?
Complain to the wrong sysadmin?

The rest of your observations, I find quite good.

-- 
dman

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail