On Mon, Nov 08, 2004 at 06:16:43PM +0100, Michelle Konzack wrote:
on some mailaccounts I like to log, from which IP the E-Mail come from.
If I use
____( '/home/michelle/.procmail/FLT_spamhaus' )_______________________
/
| :0 cH
| * Received: from.*[.*](.*$)+Received:.*[/[0-9]+.[0-9]+.[0-9]+.[0-9]+
| {
| RECEIVIP2=${MATCH}
| :0
| | $HOME/bin/tdmail_send $RECEIVIP2
| }
\______________________________________________________________________
I get not the right result.
How can I get the real Sender IP ?
First, "H" is the default, so you don't need to state it.
Second, what is tdmail_send?
Third, you haven't put a match token anywhere in this recipe, so I don't
know what you thing $MATCH will be set to.
Fourth, you haven't got a left-anchor on the Received string
in your condition, so you are causing mega-make-work for procmail
(and then you complain elsewhere that 768MB RAM isn't enough on
your server.)
You've been on this list a while. Think it through a bit: it
should make sense that an easy way -- probably the easiest way,
though I dread using superlatives to describe procedures and methods
with computers -- to get the bottom Received header or bottom any-
other header is to use scoring.
Then, a few hours ago you would have seen a better regex than you've
got up there for a dotted quad. (Ruud quoted from my vsnag.genvars.rc:)
OCTET = "([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])"
DOTQUAD = "$OCTET[.]$OCTET[.]$OCTET[.]$OCTET"
So how about (bear with me about where I have the match token):
:0
* $ 1^1 ^Received: from\>\/.*$DOTQUAD\>
{
RCVD_COUNT = $= # lagniappe-city, as long as we're here
:0
* $ 9876543210^0 MATCH ?? [[(]\/$DOTQUAD\>
* $ 9876543210^0 MATCH ?? ()\/$DOTQUAD\>
* $ MATCH ?? ^^\/$DOTQUAD
{ PUTATIVE_SENDER_IP = $MATCH }
}
That's all (the initial placement of the match token, and then the last
recipe with an oversaturated max int count) because I would prefer to
trust an IP address that is surrounded by brackets or parens than one
that is naked; but I'll take a naked one over none at all.
I just tried it on one piece of spam. Seems to work. Not extensively
tested, but it's going to be close.
--
dman
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail