procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Geting the Sender IP

2004-11-08 11:22:13
from [Dallman Ross] [Permanent Link] 
On Mon, Nov 08, 2004 at 06:16:43PM +0100, Michelle Konzack wrote:


on some mailaccounts I like to log, from which IP the E-Mail come from.

If I use 

  ____( '/home/michelle/.procmail/FLT_spamhaus' )_______________________
 /
| :0 cH
| * Received: from.*[.*](.*$)+Received:.*[/[0-9]+.[0-9]+.[0-9]+.[0-9]+
| { 
|   RECEIVIP2=${MATCH} 
|   :0
|   | $HOME/bin/tdmail_send $RECEIVIP2
| }
 \______________________________________________________________________

I get not the right result. 
How can I get the real Sender IP ?


First, "H" is the default, so you don't need to state it.
Second, what is tdmail_send?
Third, you haven't put a match token anywhere in this recipe, so I don't
       know what you thing $MATCH will be set to.
Fourth, you haven't got a left-anchor on the Received string
in your condition, so you are causing mega-make-work for procmail
(and then you complain elsewhere that 768MB RAM isn't enough on
your server.)

You've been on this list a while.  Think it through a bit: it
should make sense that an easy way -- probably the easiest way,
though I dread using superlatives to describe procedures and methods
with computers -- to get the bottom Received header or bottom any-
other header is to use scoring.

Then, a few hours ago you would have seen a better regex than you've
got up there for a dotted quad.  (Ruud quoted from my vsnag.genvars.rc:)

 OCTET   = "([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])"
 DOTQUAD = "$OCTET[.]$OCTET[.]$OCTET[.]$OCTET"

So how about (bear with me about where I have the match token):

  :0
  * $ 1^1 ^Received: from\>\/.*$DOTQUAD\>
  {
       RCVD_COUNT = $=  # lagniappe-city, as long as we're here

       :0
       * $ 9876543210^0  MATCH ?? [[(]\/$DOTQUAD\>
       * $ 9876543210^0  MATCH ?? ()\/$DOTQUAD\>
       * $ MATCH ?? ^^\/$DOTQUAD
       { PUTATIVE_SENDER_IP = $MATCH }
  }


That's all (the initial placement of the match token, and then the last
recipe with an oversaturated max int count) because I would prefer to
trust an IP address that is surrounded by brackets or parens than one
that is naked; but I'll take a naked one over none at all.

I just tried it on one piece of spam.  Seems to work.  Not extensively
tested, but it's going to be close.

-- 
dman

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Geting the Sender IP, Michelle Konzack
Next by Date:  Re: Reverting back to a simple blacklist, Google Kreme
Previous by Thread:  Geting the Sender IP, Michelle Konzack
Next by Thread:  lockfile oddities, Sven Schmitt
Indexes:  [Date] [Thread] [Top] [All Lists]