[Exim] header_received question

Top Page
Delete this message
Reply to this message
Author: Mike Wilson
Date:  
To: exim-users
Subject: [Exim] header_received question
I did a search through the archive and faq and didnt find an answer to this
so here goes.

I have a system_filter that I use for basic spam checks. If a message is
tagged as 'spam' I want to parse out the host that SENT the spam to us (i.e.
the first host to connect to our email system).

A typical email will have a received section like:

from out3.email.blah.net ([xxx.xxx.xxx.xxx.xxx])
        by bob.somewhere.com with esmtp (Exim 4.01)
        id 16kTxP-0003oB-00
        for bob@???; Mon, 11 Mar 2002 11:51:35 -0600
from [xxx.xxx.xxx.xxx.xxx] (helo=cspool.email.blah.net)
        by out3.email.blah.net with esmtp
        id 16kTuV-0006QK-00
        for bob@???; Mon, 11 Mar 2002 17:48:35 +0000
from [xxx.xxx.xxx.xxx.xxx] (helo=smtpin1.email.blah.net)
        by cspool.email.blah.net with esmtp (Exim 3.33 #1)
        id 16kTuL-0001a6-00
        for bob@???; Mon, 11 Mar 2002 17:48:25 +0000
from [BAD.BAD.BAD.BAD] (helo=some.dumb.relay.com)
        by smtpin1.email.blah.net with smtp
        id 16kTuO-0005Pq-00
        for bob@???; Mon, 11 Mar 2002 17:48:28 +0000
from [xxx.xxx.xxx.xxx] (helo=originating.spammer.com)
        by some.dump.relay.com with smtp
        id 16kTuO-0005Pq-00
        for bob@???; Mon, 11 Mar 2002 17:48:28 +0000


Here is my problem. I want to grab the 'BAD.BAD.BAD.BAD' ip address. As you
can see this IP will never be the same (or at least nothing I can guess) nor
will it always be after a specific host other than *.email.blah.net.

I just want to build a list of spamming hosts and build some spam notices
based on high hitting open-relay/spam sites.


--
Mike Wilson            NTT/VERIO ISS Group
mwilson@???        http://www.verio.net/