procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Getting the MATCH

2008-07-22 06:55:30
from [Skip] [Permanent Link]
The way $FROM is put together, it usually contains a string that looks something like this: 

from eastrmmtao107.cox.net ([68.230.240.59])
       by box106.bluehost.com with esmtp (Exim 4.69)
       (envelope-from <skip(_at_)pelorus(_dot_)org>)
       id 1KL76L-0007Gz-6K
       for suzanne(_at_)pelorus(_dot_)org; Mon, 21 Jul 2008 19:55:41 -0600
from eastrmimpo01.cox.net ([68.1.16.119])
         by eastrmmtao107.cox.net
         (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP
id <20080722015543(_dot_)QCA8977(_dot_)eastrmmtao107(_dot_)cox(_dot_)net(_at_)eastrmimpo01(_dot_)cox(_dot_)net>; 
         Mon, 21 Jul 2008 21:55:43 -0400
from [192.168.1.113] ([68.231.250.115])
       by eastrmimpo01.cox.net with bizsmtp
       id spvh1Z00E2W8SQ402pvhNr; Mon, 21 Jul 2008 21:55:42 -0400
Skip <skip(_at_)pelorus(_dot_)org>
my ipblacklist currently contains over 4000 ip addresses from which I have previously received spam emails. I decided to just go with the first three octets 
96.235.243.
96.239.43.
96.241.203.
I tried putting in the slashes before the dots, but then it didn't have any matches at all. I also wanted to put in the word boundries, but again, this caused me to have no matches at all. Is there an error that I am overlooking? Is that what you mean by using the -w switch, if I understand you correctly?
The list isn't perfect. There are software version numbers that look a lot like IP addresses that can fool the system. I have run my blacklist against my clean inbox and have removed every entry that returns a hit. (Would you believe that my ipwhitelist is only just over 1000 entries--I get *that* much more spam than ham!) I also don't add any numbers to the blacklist if they return any hits in my inbox at all.
I have appreciated everyone's responses here, but unfortunately, I think I am confused. Would someone be so kind as to put it all back together for me in one working recipe? I guess my initial question of being able to return the actual matched ip address (kinda like using the -o option in grep) so I can use it in procmail later on is too hard.
I understand that I don't need the lock, and I could do better with some of my variables, but I am more interested in the meat of the recipe. 

Cheers!

Here is the original recipe:

FGREP=/bin/grep
IPBLACKLIST=/home/peloruso/ipblacklist
FORMAIL = /usr/bin/formail
FROM=`$FORMAIL -x"From" -x"From:" -x"Reply-To:" -x"Received:" -x"Return-Path:"` 

:0fw:ipblacklist.lock
* ? (echo "$FROM" | $FGREP -i -f $IPBLACKLIST)
| $FORMAIL -A "X-IP-Blacklist: Mail originated from a previous source of spam--$MATCH" 


Skip



Professional Software Engineering wrote:

At 11:43 2008-07-22 +0200, Dallman Ross wrote:
[snipperoni]

Good comments, Sean.  One other one is that he is not using any
boundary anchors to the search string.  This will cause false
matches.  For example, what if feldman(_at_)example(_dot_)com were in the
blacklist but he ran dman(_at_)example(_dot_)com through his grep?  It would
match.  He needs the "w" flag with his grep, among other fixes.


[ipblacklist]
dman(_at_)example(_dot_)com

echo "feldman(_at_)example(_dot_)com" | fgrep -i -w -f ipblacklist

won't match, which is good.

echo "fel(_dot_)dman(_at_)example(_dot_)com" | fgrep -i -w -f ipblacklist
WOULD match, because the dot, which is really intended to be part of the string, is treated as a word separator. Obviously, this is a rather contrived example, but it does demonstrate that it'd potentially match things we don't want to match.
Includsion of the -w flag is even more important when dealing with ip dotted quad, since short initial and trailing octets could otherwise easily match much larger networks: 

[ipblacklist]
1.23.45.6


11.23.45.61
201.23.45.69

(and MANY more) would match.

---
 Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html> Please DO NOT carbon me on list replies. I'll get my copy from the list. 

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail



--
Get my PGP Public key here:
http://pelorus.org/skip(_at_)pelorus(_dot_)org_public_key(_dot_)asc

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Getting the MATCH, Professional Software Engineering
Next by Date:  Re: Getting the MATCH, Dallman Ross
Previous by Thread:  Re: Getting the MATCH, Professional Software Engineering
Next by Thread:  Re: Getting the MATCH, Professional Software Engineering
Indexes:  [Date] [Thread] [Top] [All Lists]