[exim] regex for 2nd "Received" in header

Góra strony
Delete this message
Reply to this message
Autor: Gabor FUNK
Data:  
Dla: exim-users
Temat: [exim] regex for 2nd "Received" in header
Merry Christmas!

I'm trying to create a quick (exim-filter) regex which
matches some recently volumed up faked header types,
such as:

    Received: from spammer-ip2   by ourserver
    Received: from spammer-ip1   by ourdomain


That is, when spammer inserts a header faking
that he received the message from ourdomain.
That (ourdomain being in the second Received field)
can't happen and I'd honor it with their IP appended
to our blacklist.

I created the following regex:

    #replacing newlines to spaces in subject first:
    if "${tr{$message_headers}{\n}{\s}}" matches
    ^Received:.*?Received:.*?by\\sourdomain
    then ...


But this matches 3rd, 4th, etc. Receiveds also,
which I don't want, because the following can
happen:

    Received: from isp              by ourserver
    Received: from ourdomain  by isp
    Received: from isp              by ourdomain


So, I'd like to have a regex that matches "by ourdomain"
only if that is the second one.

Anyone being a regex wizard willing to point me to the
right direction?

Thanks in advance,
G.