Re: [exim] Loopp through IP addresses in received header

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPhil Pennock at <-
M 
Delete this message
Reply to this message
Author: Craig Jackson
Date:  
To: exim-users
Subject: Re: [exim] Loopp through IP addresses in received header


> -----Original Message-----
> From: exim-users-bounces@???
> [mailto:exim-users-bounces@exim.org] On Behalf Of Phil Pennock
> Sent: Friday, January 11, 2008 8:27 PM
> To: Craig Jackson
> Cc: exim-users@???
> Subject: Re: [exim] Loopp through IP addresses in received header
>
> On 2008-01-11 at 09:47 -0600, Craig Jackson wrote:
> > I'd like to loop through all of the IP addresses in the
> received headers
> > and check each one to see if that address is in a list of address
> > blocks, like 12.23.0.0/16 : 34.56.67.0/24 : 1.6.0.0/8
>
> Exim 4.67 or more recent, to get the map, filter, reduce etc
> operators?
>
> List of all IP addresses in Received: headers:
> ${filter{<\n
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N
}{\$1}}}{isip{$item}}}
>
> The core of this is:
>
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N}{\$1}}
>
> If I save your email (the one I'm replying to) to a file called
> "fred1.eml" and then run "exim -bem fred1.eml" (for
> sufficiently recent
> Exim to support the -bem option) then I can do:
>
> >
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N}{\$1}}
>
> 2001:630:200:8080:204:23ff:fed6:b664
> 127.0.0.1
> 72.245.64.135
>
> >
>
> The blank lines are for the outside parts; the filter just
> reduces this
> to IP addresses, removing blank lines and acting as a sanity check
> against anything spuriously caught; there's an assumption that all IP
> addresses are in square brackets.
>
> You can put your list of address blocks into a "hostlist"; my Exim
> config happens to have one called "bad_host_addresses" defined as:
> hostlist bad_host_addresses = <; 0.0.0.0 ; 127.0.0.0/8 ; ::
> so purely for my own convenience I'll use that as an example for
> extracting an address from that list.
>
> ${filter{<\n ${filter{<\n
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N
}{\$1}}}{isip{$item}}}}{match_ip{$item}{+bad_host_addresses}}}
>
> Testing, I see:
> > ${filter{<\n ${filter{<\n
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N
}{\$1}}}{isip{$item}}}}{match_ip{$item}{+bad_host_addresses}}}
> 127.0.0.1
> >
>
> Breaking that down, splitting into components for readability, etc, is
> left as an exercise for the reader.
>
> Regards,
> -Phil
>
> --

Wow. Thanks, Phil. That's exactly what I needed. I have the host
address block list in a Mysql database. This has cut out 90% of our
spam. But occasionally spammers are good enough to send mail through
"trusted" servers". That's where this little rule will help.

Craig

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] ldap returned data format[exim] verify recipient not working->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)