On Wed, Nov 24, 2004 at 11:28:49PM +0100, Michelle Konzack wrote:
Am 2004-11-24 21:23:08, schrieb Alan Clifford:
On Wed, 24 Nov 2004, Michelle Konzack wrote:
MK> | Received: from [192.168.0.210]
(67-137-116-114.dsl2.brv.mn.frontiernet.net [67.137.116.114])
MK> | by relay04.roc.ny.frontiernet.net (Postfix) with ESMTP id
0C15710265;
MK> | Wed, 24 Nov 2004 15:59:31 +0000 (UTC)
A match on the last two.
I know, but why does
------------------------------------------------------------------------
:0 H
* ^Received: from.*\[.*\](.*$)+Received:.*\[222+\.[0-9]+\.[0-9]+\.[0-9]+
ATTENTION/Blocked_Kornet/
------------------------------------------------------------------------
work on the second "Received:" header but not
------------------------------------------------------------------------
:0 cH
* ^Received: from.*\[.*\](.*$)+Received:.*(dsl|pool.)
ATTENTION/Blocked_ADSL/
------------------------------------------------------------------------
Off-hand, I don't see the answer, but I have a couple of (more) remarks.
First, you're using a lone H flag on recipes, and that is dangerous on
account of a known bug in current procmail such that you won't be able to
turn of the H flag later in the rcfile if you want to. Since H is the
default, there is no reason to state it explicitly here -- even if
you are running a binary that is not subject to this bug.
But that's an aside. The main thing I want to say is that I still think
you're spinning your wheels. I just looked in my last-100 spam archive
for your suspect "222" IP range. I found a number of them:
12:25am [~/Mail/.myspam] 531[0]> grep '^Received:.*[^0-9.]222[.]' *
msg.342W:Received: from [222.114.73.28] (helo=bdo.no)
msg.LJ0X:Received: from 222.47.62.188 ([222.47.62.188])
msg.OJ0X:Received: from xmsky.okwine.cn (222.47.62.209) by mail.epost.de
(7.2.033.1)
msg.PJ0X:Received: from xmsky.okwine.cn (unknown [222.47.62.209])
msg.RG_J:Received: from [222.98.58.34] (helo=cantillon.demon.co.uk)
msg.YkRD:Received: from 222.47.62.188 ([222.47.62.188])
msg.dJ0X:Received: from [222.126.10.162] (helo=walla.com)
msg.fkRD:Received: from silver-wolf.com (222.64.223.36) by mail.epost.de
(7.2.033.1)
msg.r42W:Received: from 222.47.62.188 ([222.47.62.188])
Well, but I have never bothered to notice before that those happen to come
from Kornet. Why not? because I don't do any individual testing of IP
ranges or blacklisted hosts to stop all my spam. I have never needed to.
(And I get plenty of spam, and it's about 10-to-1 versus good mail.)
Here is the X-header line I add to my spam to tell me which of my named
recipes caught it:
12:25am [~/Mail/.myspam] 532[0]> grep -l '^Received:.*[^0-9.]222[.]' * |
xargs grep ^X-Recipe-
msg.342W:X-Recipe-ID: UBE.RC.MYUPSTREAM, UBE.FR+RC.DELTA-TLD, UBE.RC.DODGEY,
UBE.XM.NONBULK+PIPELINED
msg.LJ0X:X-Recipe-ID: UBE.TRUST<LOWEST, UBE.DT.!FR_.DATE_SPOTTY:FUTUREDAY,
UBE.ID.FAKE:4, UBE.RC.SPLIT, UBE.SJ.LOCALTO
msg.OJ0X:X-Recipe-ID: UBE.SJ.LOCALTO, UBE.XM.FELONS
msg.PJ0X:X-Recipe-ID: UBE.SJ.LOCALTO, UBE.RC.DODGEY, UBE.XM.FELONS
msg.RG_J:X-Recipe-ID: UBE.RC.MYUPSTREAM, UBE.RC.LOW_COUNT+TO.!ME+TRUST<HIGH,
UBE.FR+RC.DELTA-TLD, UBE.XM.NONBULK+PIPELINED
msg.YkRD:X-Recipe-ID: UBE.TRUST<LOWEST, UBE.DT.!FR_.DATE_SPOTTY:FUTUREDAY,
UBE.ID.FAKE:4, UBE.RC.SPLIT, UBE.SJ.LOCALTO
msg.dJ0X:X-Recipe-ID: UBE.ID.MYUPSTREAM, UBE.RC.MYUPSTREAM,
UBE.RC.LOW_COUNT+TO.!ME+TRUST<HIGH, UBE.DT.BOGUS, UBE.DT.!RC.DATE_SPOTTY:0,
UBE.DT.!FR_.DATE_SPOTTY:FUTUREDAY, UBE.SJ|FR.HI-BIT, UBE.XM.NONBULK+PIPELINED
msg.fkRD:X-Recipe-ID: UBE.TRUST<LOWEST, UBE.RC.LOW_COUNT+TO.!ME+TRUST<HIGH,
UBE.XM.NONBULK+PIPELINED
msg.r42W:X-Recipe-ID: UBE.TRUST<LOWEST, UBE.DT.!FR_.DATE_SPOTTY:FUTUREDAY,
UBE.ID.FAKE:4, UBE.FR.!(VOWEL|CONSONANT), UBE.RC.SPLIT, UBE.SJ.LOCALTO
Let's do a distro on those recipe names. I'm not going to explain what
they all are, but their names are often fairly descriptive:
12:27am [~/Mail/.myspam] 533[0]> !! | sed 's/,//g' | fmt -1 | distrib | grep
-v X-Rec
5 UBE.SJ.LOCALTO
4 UBE.DT.!FR_.DATE_SPOTTY:FUTUREDAY
4 UBE.TRUST<LOWEST
4 UBE.XM.NONBULK+PIPELINED
3 UBE.ID.FAKE:4
3 UBE.RC.LOW_COUNT+TO.!ME+TRUST<HIGH
3 UBE.RC.MYUPSTREAM
3 UBE.RC.SPLIT
2 UBE.FR+RC.DELTA-TLD
2 UBE.RC.DODGEY
2 UBE.XM.FELONS
1 UBE.DT.!RC.DATE_SPOTTY:0
1 UBE.DT.BOGUS
1 UBE.FR.!(VOWEL|CONSONANT)
1 UBE.ID.MYUPSTREAM
1 UBE.SJ|FR.HI-BIT
Okay, I'll bother to explain just a bit: The two-letter code is the
header involved in the check. So SJ is Subject, DT is Date, RC is
Received, XM X-Mailer, etc. Anyway, for all those reasons I don't have
to check for blacklists, IP addresses, etc. These Kornet things are not
getting through to my inbox.
All right, back to your problem: I would take the regex and try it out
on the command line with egrep to troubleshoot. For example, I created
a synthetic version of your line looking for "222" to use with grep on the
command line. I could basically duplicate the entire procmail condition's
regex and see if it matches or not, and if not, why not (by deconstructing
it phrase by phrase until it does work).
--
dman
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail