Re: [exim] Loopp through IP addresses in received header

Góra strony
Delete this message
Reply to this message
Autor: Craig Jackson
Data:  
Dla: exim-users
Temat: Re: [exim] Loopp through IP addresses in received header


> -----Original Message-----
> From: exim-users-bounces@???
> [mailto:exim-users-bounces@exim.org] On Behalf Of Phil Pennock
> Sent: Friday, January 11, 2008 8:27 PM
> To: Craig Jackson
> Cc: exim-users@???
> Subject: Re: [exim] Loopp through IP addresses in received header
>
> On 2008-01-11 at 09:47 -0600, Craig Jackson wrote:
> > I'd like to loop through all of the IP addresses in the
> received headers
> > and check each one to see if that address is in a list of address
> > blocks, like 12.23.0.0/16 : 34.56.67.0/24 : 1.6.0.0/8
>
> Exim 4.67 or more recent, to get the map, filter, reduce etc
> operators?
>
> List of all IP addresses in Received: headers:
> ${filter{<\n
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N

}{\$1}}}{isip{$item}}}
>
> The core of this is:
>
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N}{\$1}}
>
> If I save your email (the one I'm replying to) to a file called
> "fred1.eml" and then run "exim -bem fred1.eml" (for
> sufficiently recent
> Exim to support the -bem option) then I can do:
>
> >
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N}{\$1}}
>
> 2001:630:200:8080:204:23ff:fed6:b664
> 127.0.0.1
> 72.245.64.135
>
> >
>
> The blank lines are for the outside parts; the filter just
> reduces this
> to IP addresses, removing blank lines and acting as a sanity check
> against anything spuriously caught; there's an assumption that all IP
> addresses are in square brackets.
>
> You can put your list of address blocks into a "hostlist"; my Exim
> config happens to have one called "bad_host_addresses" defined as:
> hostlist bad_host_addresses = <; 0.0.0.0 ; 127.0.0.0/8 ; ::
> so purely for my own convenience I'll use that as an example for
> extracting an address from that list.
>
> ${filter{<\n ${filter{<\n
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N

}{\$1}}}{isip{$item}}}}{match_ip{$item}{+bad_host_addresses}}}
>
> Testing, I see:
> > ${filter{<\n ${filter{<\n
> ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N

}{\$1}}}{isip{$item}}}}{match_ip{$item}{+bad_host_addresses}}}
> 127.0.0.1
> >
>
> Breaking that down, splitting into components for readability, etc, is
> left as an exercise for the reader.
>
> Regards,
> -Phil
>
> --


Wow. Thanks, Phil. That's exactly what I needed. I have the host
address block list in a Mysql database. This has cut out 90% of our
spam. But occasionally spammers are good enough to send mail through
"trusted" servers". That's where this little rule will help.

Craig