Merry Christmas!
I'm trying to create a quick (exim-filter) regex which
matches some recently volumed up faked header types,
such as:
Received: from spammer-ip2 by ourserver
Received: from spammer-ip1 by ourdomain
That is, when spammer inserts a header faking
that he received the message from ourdomain.
That (ourdomain being in the second Received field)
can't happen and I'd honor it with their IP appended
to our blacklist.
I created the following regex:
#replacing newlines to spaces in subject first:
if "${tr{$message_headers}{\n}{\s}}" matches
^Received:.*?Received:.*?by\\sourdomain
then ...
But this matches 3rd, 4th, etc. Receiveds also,
which I don't want, because the following can
happen:
Received: from isp by ourserver
Received: from ourdomain by isp
Received: from isp by ourdomain
So, I'd like to have a regex that matches "by ourdomain"
only if that is the second one.
Anyone being a regex wizard willing to point me to the
right direction?
Thanks in advance,
G.
