Re: [exim] Advice on a Regexp requested

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: W B Hacker
Dátum:  
Címzett: exim-users
CC: eximX0902w
Tárgy: Re: [exim] Advice on a Regexp requested
Ted Cooper wrote:
> W B Hacker wrote:
>> Given a subordinate 'Received' header containing the likes of:
>>
>> Received: by giky28.corgiky.com (PowerMTA(TM) v3.0c2) id <the rest redacted>.
>>
>> With a target of matching the 'PowerMTA' substring
>>
>> AND an unpredictable number of characters preceeding it...
>>
>> What might we have in Exim's toolbox AND NOT an external call, that is as
>> predictable / reliable as an SQL 'LIKE' comparison?
>>
>> But more efficient of resources...
>
> PCRE + forany?
>
> Magnus Holmgren has this wonderful construct for looking up all the IP
> addresses in received headers .. perhaps it could be modified? It
> doesn't use forany.
> http://www.mail-archive.com/exim-users@exim.org/msg22684.html
>
> It doesn't seem to use forany .. and I really have no idea how to use it
> :P Now that I offload things to a program listening on a socket, I've
> become really lazy.
>
> condition = ${if forany{\n, $h_Received:}{match{$item}{PowerMTA/i}}}
>
> No idea if that works .. at all.
>
> --
> The Exim Manual: http://docs.exim.org/
>


Ted,

Side issue - NOW we have a mystery - not sure if it is related - *attempting* to
copy you directly.

My goal was to add spam demerits for that 'race' of MTA (above)

CAVEAT: in my environment, and perhaps no other, it has always and only been
used to send very obvious UCE or phish.

But .. on the way to the theatre, both my original post and your reply post were
whacked with outrageous SA scores and shunted off to a quarantine folder.

Headers appear to show THREE passes thru SA at various points, scores ranging
from a high positive to a higher-then-average negative, and a third score in the
middle.

Given the rather innocent message content, it looks as if at least one of us is
already filtering on that very string - the one naming the MTA.

I don't see any other content that is out of the ordinary.

Relevant headers from my post and your reply below.

====

Return-path: <exim-users-bounces+conducive.org@???>
Envelope-to: wbh@???
Delivery-date: Fri, 30 Apr 2010 21:39:01 +0000
Received: from tahini.csx.cam.ac.uk ([131.111.8.192]:48087)
    by conducive.net with esmtp (Exim 4.69 (FreeBSD))
    (envelope-from <exim-users-bounces+conducive.org@???>)
    id 1O7xuq-0006Nu-FA
    for wbh@???; Fri, 30 Apr 2010 21:39:01 +0000
Received: from localhost ([127.0.0.1]:60615 helo=tahini.csx.cam.ac.uk)
    by tahini.csx.cam.ac.uk with esmtp (Exim 4.71)
    (envelope-from <exim-users-bounces@???>)
    id 1O7xos-0008Qr-J0; Fri, 30 Apr 2010 22:32:23 +0100
Received: from conducive.org ([203.194.153.81]:51908)
    by tahini.csx.cam.ac.uk with esmtp (Exim 4.71)
    (envelope-from <wbh@???>) id 1O7xop-0008Qb-KZ
    for exim-users@???; Fri, 30 Apr 2010 22:32:20 +0100
Received: from c-71-62-196-61.hsd1.va.comcast.net ([71.62.196.61]:65093
    helo=pb.local) by conducive.net with esmtpsa (TLSv1:AES256-SHA:256)
    (Exim 4.69 (FreeBSD)) (envelope-from <wbh@???>)
    id 1O7xoJ-0005Vq-I9
    for exim-users@???; Fri, 30 Apr 2010 21:31:47 +0000
Message-ID: <4BDB4C5D.7020104@???>
Date: Fri, 30 Apr 2010 17:32:13 -0400
From: W B Hacker <wbh@???>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
    rv:1.8.1.23) Gecko/20090823 SeaMonkey/1.1.18
MIME-Version: 1.0
To: exim users <exim-users@???>
X-Spam-Score: 1.4 (+)
X-Spam-Status: No, score=1.4 required=5.0 tests=AWL=-3.000, BAYES_00=-1.5,
    FORGED_RCVD_HELO=0.135, URIBL_BLACK=3,
    URIBL_PH_SURBL=2.8 autolearn=no version=3.1.8
Subject: [exim] Advice on a Regexp requested
X-BeenThere: exim-users@???
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: A user list for the exim MTA <exim-users.exim.org>
List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject=unsubscribe>
List-Archive: <http://lists.exim.org/lurker/list/exim-users.html>
List-Post: <mailto:exim-users@exim.org>
List-Help: <mailto:exim-users-request@exim.org?subject=help>
List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: exim-users-bounces@???
Errors-To: exim-users-bounces@???
X-Spam-Warning: Spam Score, 4.0, user limit 1
X-Spam-Bars: (++++) 4.0
Subject: *Suspect* [exim] Advice on a Regexp requested
X-Junk: HIGHLY SUSPECT MESSAGE!


=======

Return-path: <exim-users-bounces+conducive.org@???>
Envelope-to: wbh@???
Delivery-date: Sat, 01 May 2010 01:00:30 +0000
Received: from tahini.csx.cam.ac.uk ([131.111.8.192]:48733)
    by conducive.net with esmtp (Exim 4.69 (FreeBSD))
    (envelope-from <exim-users-bounces+conducive.org@???>)
    id 1O813o-00066P-VC
    for wbh@???; Sat, 01 May 2010 01:00:30 +0000
Received: from localhost ([127.0.0.1]:42846 helo=tahini.csx.cam.ac.uk)
    by tahini.csx.cam.ac.uk with esmtp (Exim 4.71)
    (envelope-from <exim-users-bounces@???>)
    id 1O80yt-0000KF-KJ; Sat, 01 May 2010 01:54:56 +0100
Received: from mxa.outb.inboxlogistics.com ([203.211.140.222]:44985)
    by tahini.csx.cam.ac.uk with esmtp (Exim 4.71)
    (envelope-from <eximX0902w@???>) id 1O80yc-0000JN-PS
    for exim-users@???; Sat, 01 May 2010 01:54:53 +0100
Received: from mail.linuxwan.net ([203.89.94.245] helo=[192.168.32.61])
    by mxa.inb.inboxlogistics.com with esmtpsa (TLSv1:AES256-SHA:256)
    (Exim 4.69) (envelope-from <eximX0902w@???>)
    id 1O80yR-00016z-9F
    for exim-users@???; Sat, 01 May 2010 10:54:36 +1000
Message-ID: <4BDB7BBE.2090203@???>
Date: Sat, 01 May 2010 10:54:22 +1000
From: Ted Cooper <eximX0902w@???>
User-Agent: Thunderbird 2.0.0.24 (X11/20100317)
MIME-Version: 1.0
To: exim users <exim-users@???>
References: <4BDB4C5D.7020104@???>
X-Spam-Score: -3.2 (---)
X-Spam-Score: 1.4 (+)
X-Spam-Status: No, score=1.4 required=5.0 tests=AWL=-2.925, BAYES_00=-1.5,
    URIBL_BLACK=3, URIBL_PH_SURBL=2.8 autolearn=no version=3.1.8
Subject: Re: [exim] Advice on a Regexp requested
X-BeenThere: exim-users@???
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: exim-users@???
List-Id: A user list for the exim MTA <exim-users.exim.org>
List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject=unsubscribe>
List-Archive: <http://lists.exim.org/lurker/list/exim-users.html>
List-Post: <mailto:exim-users@exim.org>
List-Help: <mailto:exim-users-request@exim.org?subject=help>
List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: exim-users-bounces@???
Errors-To: exim-users-bounces@???
X-Spam-Warning: Spam Score, 4.0, user limit 1
X-Spam-Bars: (++++) 4.0
Subject: *Suspect* Re: [exim] Advice on a Regexp requested
X-Junk: HIGHLY SUSPECT MESSAGE!


===