The way $FROM is put together, it usually contains a string that looks
something like this:
from eastrmmtao107.cox.net ([68.230.240.59])
by box106.bluehost.com with esmtp (Exim 4.69)
(envelope-from <skip(_at_)pelorus(_dot_)org>)
id 1KL76L-0007Gz-6K
for suzanne(_at_)pelorus(_dot_)org; Mon, 21 Jul 2008 19:55:41 -0600
from eastrmimpo01.cox.net ([68.1.16.119])
by eastrmmtao107.cox.net
(InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP
id
<20080722015543(_dot_)QCA8977(_dot_)eastrmmtao107(_dot_)cox(_dot_)net(_at_)eastrmimpo01(_dot_)cox(_dot_)net>;
Mon, 21 Jul 2008 21:55:43 -0400
from [192.168.1.113] ([68.231.250.115])
by eastrmimpo01.cox.net with bizsmtp
id spvh1Z00E2W8SQ402pvhNr; Mon, 21 Jul 2008 21:55:42 -0400
Skip <skip(_at_)pelorus(_dot_)org>
my ipblacklist currently contains over 4000 ip addresses from which I
have previously received spam emails. I decided to just go with the
first three octets
96.235.243.
96.239.43.
96.241.203.
I tried putting in the slashes before the dots, but then it didn't have
any matches at all. I also wanted to put in the word boundries, but
again, this caused me to have no matches at all. Is there an error that
I am overlooking? Is that what you mean by using the -w switch, if I
understand you correctly?
The list isn't perfect. There are software version numbers that look a
lot like IP addresses that can fool the system. I have run my blacklist
against my clean inbox and have removed every entry that returns a hit.
(Would you believe that my ipwhitelist is only just over 1000 entries--I
get *that* much more spam than ham!) I also don't add any numbers to
the blacklist if they return any hits in my inbox at all.
I have appreciated everyone's responses here, but unfortunately, I think
I am confused. Would someone be so kind as to put it all back together
for me in one working recipe?
I guess my initial question of being able to return the actual matched
ip address (kinda like using the -o option in grep) so I can use it in
procmail later on is too hard.
I understand that I don't need the lock, and I could do better with some
of my variables, but I am more interested in the meat of the recipe.
Cheers!
Here is the original recipe:
FGREP=/bin/grep
IPBLACKLIST=/home/peloruso/ipblacklist
FORMAIL = /usr/bin/formail
FROM=`$FORMAIL -x"From" -x"From:" -x"Reply-To:" -x"Received:"
-x"Return-Path:"`
:0fw:ipblacklist.lock
* ? (echo "$FROM" | $FGREP -i -f $IPBLACKLIST)
| $FORMAIL -A "X-IP-Blacklist: Mail originated from a previous source of
spam--$MATCH"
Skip
Professional Software Engineering wrote:
At 11:43 2008-07-22 +0200, Dallman Ross wrote:
[snipperoni]
Good comments, Sean. One other one is that he is not using any
boundary anchors to the search string. This will cause false
matches. For example, what if feldman(_at_)example(_dot_)com were in the
blacklist but he ran dman(_at_)example(_dot_)com through his grep? It would
match. He needs the "w" flag with his grep, among other fixes.
[ipblacklist]
dman(_at_)example(_dot_)com
echo "feldman(_at_)example(_dot_)com" | fgrep -i -w -f ipblacklist
won't match, which is good.
echo "fel(_dot_)dman(_at_)example(_dot_)com" | fgrep -i -w -f ipblacklist
WOULD match, because the dot, which is really intended to be part of
the string, is treated as a word separator. Obviously, this is a
rather contrived example, but it does demonstrate that it'd
potentially match things we don't want to match.
Includsion of the -w flag is even more important when dealing with ip
dotted quad, since short initial and trailing octets could otherwise
easily match much larger networks:
[ipblacklist]
1.23.45.6
11.23.45.61
201.23.45.69
(and MANY more) would match.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer:
<http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the
list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
--
Get my PGP Public key here:
http://pelorus.org/skip(_at_)pelorus(_dot_)org_public_key(_dot_)asc
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail