Ted Cooper wrote: > W B Hacker wrote: >> Given a subordinate 'Received' header containing the likes of: >> >> Received: by giky28.corgiky.com (PowerMTA(TM) v3.0c2) id <the rest redacted>. >> >> With a target of matching the 'PowerMTA' substring >> >> AND an unpredictable number of characters preceeding it... >> >> What might we have in Exim's toolbox AND NOT an external call, that is as >> predictable / reliable as an SQL 'LIKE' comparison? >> >> But more efficient of resources... > > PCRE + forany? > > Magnus Holmgren has this wonderful construct for looking up all the IP > addresses in received headers .. perhaps it could be modified? It > doesn't use forany. > http://www.mail-archive.com/[email protected]/msg22684.html > > It doesn't seem to use forany .. and I really have no idea how to use it > :P Now that I offload things to a program listening on a socket, I've > become really lazy. > > condition = ${if forany{\n, $h_Received:}{match{$item}{PowerMTA/i}}} > > No idea if that works .. at all. > > -- > The Exim Manual: http://docs.exim.org/ >
Ted, Side issue - NOW we have a mystery - not sure if it is related - *attempting* to copy you directly. My goal was to add spam demerits for that 'race' of MTA (above) CAVEAT: in my environment, and perhaps no other, it has always and only been used to send very obvious UCE or phish. But .. on the way to the theatre, both my original post and your reply post were whacked with outrageous SA scores and shunted off to a quarantine folder. Headers appear to show THREE passes thru SA at various points, scores ranging from a high positive to a higher-then-average negative, and a third score in the middle. Given the rather innocent message content, it looks as if at least one of us is already filtering on that very string - the one naming the MTA. I don't see any other content that is out of the ordinary. Relevant headers from my post and your reply below. ==== Return-path: <[email protected]> Envelope-to: [email protected] Delivery-date: Fri, 30 Apr 2010 21:39:01 +0000 Received: from tahini.csx.cam.ac.uk ([131.111.8.192]:48087) by conducive.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <[email protected]>) id 1O7xuq-0006Nu-FA for [email protected]; Fri, 30 Apr 2010 21:39:01 +0000 Received: from localhost ([127.0.0.1]:60615 helo=tahini.csx.cam.ac.uk) by tahini.csx.cam.ac.uk with esmtp (Exim 4.71) (envelope-from <[email protected]>) id 1O7xos-0008Qr-J0; Fri, 30 Apr 2010 22:32:23 +0100 Received: from conducive.org ([203.194.153.81]:51908) by tahini.csx.cam.ac.uk with esmtp (Exim 4.71) (envelope-from <[email protected]>) id 1O7xop-0008Qb-KZ for [email protected]; Fri, 30 Apr 2010 22:32:20 +0100 Received: from c-71-62-196-61.hsd1.va.comcast.net ([71.62.196.61]:65093 helo=pb.local) by conducive.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <[email protected]>) id 1O7xoJ-0005Vq-I9 for [email protected]; Fri, 30 Apr 2010 21:31:47 +0000 Message-ID: <[email protected]> Date: Fri, 30 Apr 2010 17:32:13 -0400 From: W B Hacker <[email protected]> User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.23) Gecko/20090823 SeaMonkey/1.1.18 MIME-Version: 1.0 To: exim users <[email protected]> X-Spam-Score: 1.4 (+) X-Spam-Status: No, score=1.4 required=5.0 tests=AWL=-3.000, BAYES_00=-1.5, FORGED_RCVD_HELO=0.135, URIBL_BLACK=3, URIBL_PH_SURBL=2.8 autolearn=no version=3.1.8 Subject: [exim] Advice on a Regexp requested X-BeenThere: [email protected] X-Mailman-Version: 2.1.9 Precedence: list List-Id: A user list for the exim MTA <exim-users.exim.org> List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>, <mailto:[email protected]?subject=unsubscribe> List-Archive: <http://lists.exim.org/lurker/list/exim-users.html> List-Post: <mailto:[email protected]> List-Help: <mailto:[email protected]?subject=help> List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>, <mailto:[email protected]?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: [email protected] Errors-To: [email protected] X-Spam-Warning: Spam Score, 4.0, user limit 1 X-Spam-Bars: (++++) 4.0 Subject: *Suspect* [exim] Advice on a Regexp requested X-Junk: HIGHLY SUSPECT MESSAGE! ======= Return-path: <[email protected]> Envelope-to: [email protected] Delivery-date: Sat, 01 May 2010 01:00:30 +0000 Received: from tahini.csx.cam.ac.uk ([131.111.8.192]:48733) by conducive.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <[email protected]>) id 1O813o-00066P-VC for [email protected]; Sat, 01 May 2010 01:00:30 +0000 Received: from localhost ([127.0.0.1]:42846 helo=tahini.csx.cam.ac.uk) by tahini.csx.cam.ac.uk with esmtp (Exim 4.71) (envelope-from <[email protected]>) id 1O80yt-0000KF-KJ; Sat, 01 May 2010 01:54:56 +0100 Received: from mxa.outb.inboxlogistics.com ([203.211.140.222]:44985) by tahini.csx.cam.ac.uk with esmtp (Exim 4.71) (envelope-from <[email protected]>) id 1O80yc-0000JN-PS for [email protected]; Sat, 01 May 2010 01:54:53 +0100 Received: from mail.linuxwan.net ([203.89.94.245] helo=[192.168.32.61]) by mxa.inb.inboxlogistics.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <[email protected]>) id 1O80yR-00016z-9F for [email protected]; Sat, 01 May 2010 10:54:36 +1000 Message-ID: <[email protected]> Date: Sat, 01 May 2010 10:54:22 +1000 From: Ted Cooper <[email protected]> User-Agent: Thunderbird 2.0.0.24 (X11/20100317) MIME-Version: 1.0 To: exim users <[email protected]> References: <[email protected]> X-Spam-Score: -3.2 (---) X-Spam-Score: 1.4 (+) X-Spam-Status: No, score=1.4 required=5.0 tests=AWL=-2.925, BAYES_00=-1.5, URIBL_BLACK=3, URIBL_PH_SURBL=2.8 autolearn=no version=3.1.8 Subject: Re: [exim] Advice on a Regexp requested X-BeenThere: [email protected] X-Mailman-Version: 2.1.9 Precedence: list Reply-To: [email protected] List-Id: A user list for the exim MTA <exim-users.exim.org> List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>, <mailto:[email protected]?subject=unsubscribe> List-Archive: <http://lists.exim.org/lurker/list/exim-users.html> List-Post: <mailto:[email protected]> List-Help: <mailto:[email protected]?subject=help> List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>, <mailto:[email protected]?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: [email protected] Errors-To: [email protected] X-Spam-Warning: Spam Score, 4.0, user limit 1 X-Spam-Bars: (++++) 4.0 Subject: *Suspect* Re: [exim] Advice on a Regexp requested X-Junk: HIGHLY SUSPECT MESSAGE! === -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
