procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

procmail bug? {nested blocks}

2005-06-12 10:58:02
from [Damian Menscher] [Permanent Link] 
I may have found a bug in procmail (or maybe I'm just misinterpreting
the manpage ;)

I'm trying to filter out "virus bounce spam" (spam that advertises
the remote end's virus filter by spewing out bounce messages to mail
that supposedly came from you (but didn't, as the From: header was
spoofed)).

The idea is to look at messages from the remote mailer that contain,
in the body, headers from the original message they received.  These
headers often take the form:

Received: from server.ourdomain.com (infected.victim.com [222.222.222.222])

Assuming ourdomain.com has the netblock 111.111.x.x, it is safe to
key off the IP address.

So... I came up with the following:

:0H
* ^FROM_MAILER
{
   :0BD
   * ^Received: from .*ourdomain.com \(.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]\)
   * !^Received: from .*ourdomain.com \(.*\[111.111.[0-9]+\.[0-9]+\]\)
   virus_bounce_spam
}

Basically, it should* look in the body for a Received: line that
claims to be from ourdomain.com, but isn't (as demonstrated by the
faked IP.

Problem is, this doesn't seem to be working.  The internal block (the
part beginning with :0BD) is matching lines in the message _header_.
In particular, it's matching stuff from localhost, which looks like:

Received: from server.ourdomain.com (localhost.localdomain [127.0.0.1])

But, as I understand it, the :B means it should *only* check the body,
not the headers.  So... what's going on?  Best guess is that I'm
misinterpreting the following sentence in procmailrc(5):
"On a nesting block,  the  flags H  and B only affect the conditions
leading up to the block, the flags h and b have no effect whatsoever."
I assumed (possibly incorrectly) that the H rule in my outer block
would affect only the outer block, and that I didn't need a b to pass
the body to the inner block.

We're using procmail v3.22 2001/09/10 from RedHat's procmail-3.22-9
package.  Any advice appreciated.

Damian Menscher
-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher(_at_)uiuc(_dot_)edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 
|#=-
-=#| The above opinions are not necessarily those of my employers. |#=-

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RMAIL. How to use spamassassin where the headers are appearing on messages already., Michelle Konzack
Next by Date:  Re: procmail bug? {nested blocks}, Ruud H.G. van Tol
Previous by Thread:  RMAIL. How to use spamassassin where the headers are appearing on messages already., Don Saklad
Next by Thread:  Re: procmail bug? {nested blocks}, Ruud H.G. van Tol
Indexes:  [Date] [Thread] [Top] [All Lists]