# EXTRACT-RECEIVED-INFO.RC # # Function to extract the sending IP, sending host, HELO, and # receiving host from the designated Received: header, and IP from the # X-Original-IP:, X-Origin:, and X-IP: headers, and put their values in # a series of variables that can be used by other scripts to analyze the # email for spamsigns, perform lookups on DNS-based blacklists and # whitelists, etc. # Get the IP # LOCALTAG=no :0 * $ ^${LOCALNUMRCVDS}\/(X-)?Received: from .*[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?.* { LOCALBUFFER=${MATCH} # Get rid of the extra header lines that some versions of Procmail # mistakenly extract from some headers. :/ # :0 * LOCALBUFFER ?? ^(X-)?Received: from .*[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?.*$(.|$) { LOCALBUFFER=`${ECHO} "${LOCALBUFFER}" | ${SED} -e '2,$d'` } # Extract correct sending IP from headers generated by ArGoSoft. # :0 * LOCALBUFFER ?? ^(X-)?Received: from .*\[\/[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\] .*(\[|[(])\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?(\]|[)]) \ .*\(ArGoSoft([^0-9a-z]|$) { STRING=${MATCH} LOCALTAG=yes :0 { LOCALIP=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9.] by .*$//'` } } # Extract correct sending IP from headers generated by postini.com # from incoming email. # :0 * LOCALBUFFER ?? ^(X-)?Received: from source \(\[[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\]\) (\(using TLSv1\) )?\ by exprod[0-9]+mx[0-9]+\.postini\.com \(\[[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\) \ with SMTP * LOCALBUFFER ?? ^(X-)?Received: from source \(\[\/[0-9.]+ { STRING=${MATCH} LOCALIP=${STRING} LOCALTAG=yes } # Extract correct sending IP from headers generated by Yahoo # from incoming email. # :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ (\(HELO [0-9a-z][-_0-9a-z.]+\) )?\ .*\(([0-9a-z][-_0-9a-z.]+@)?\ \/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]? \ with login\) { STRING=${MATCH} LOCALTAG=yes :0 { LOCALIP=`${ECHO} "${STRING}" | ${SED} -e 's/ with.*$//'` } } # Extract correct sending IP from headers generated by Tin.IT # from incoming email. # :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ \(\/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\) \ by ([0-9a-z][-_0-9a-z]+\.)+tin\.it \ \([0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\) { STRING=${MATCH} LOCALTAG=yes :0 { LOCALIP=`${ECHO} "${STRING}" | ${SED} -e 's/) .*$//'` } } # Extract correct sending IP from headers generated when HELO'ing # with IP instead of FQDN or hostname. # :0 * LOCALTAG ?? no * LOCALBUFFER ?? ^(X-)?Received: from .*(\[)?[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?(\])?.*(\[|[(])\ ()\/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?(\]|[)]) { STRING=${MATCH} LOCALTAG=yes :0 { LOCALIP=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9.]*$//'` } } # Extract correct sending IP from other types of Received: headers. # :0 * LOCALTAG ?? no * LOCALBUFFER ?? ^(X-)?Received: from .*(\[|[(])\ ()\/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?(\]|[)]) { STRING=${MATCH} LOCALTAG=yes :0 { LOCALIP=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9.]*$//'` } } } # Generate the "Local24" value, for local checking. # :0 { LOCAL24=`${ECHO} "${LOCALIP}" | ${SED} -e 's/\.[0-9]*$//'` } # Generate the LOCALIPREGEXP value for ICANN Non-Routable CIDR file check. # INCLUDERC=${SBDIR}/functions/reverseip.rc INCLUDERC=${SBDIR}/functions/cidrmatch.rc # Analyze the rest of the header if and only if an IP was found. # :0 * LOCALTAG ?? yes { LOCALSENDER="host.example.com" LOCALRECEIVER="host.example.com" LOCALHELO="host.example.com" # ARGOSOFT # # Check to see of the Received: line was generated by ArGoSoft, and # if it was, extract the necessary information. # :0 * LOCALBUFFER ?? ^(X-)?Received: from \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\] by [0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\ ().*\(ArGoSoft .*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\] by \/[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\ ().*\(ArGoSoft .*$ { STRING=${MATCH} LOCALSENDER='unknown' :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*ArGoSoft .*$//'` } } } # POSTINI # # Check to see if the Recieved: line was generated by postini.com # and if it was, extract what information you can. :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * LOCALBUFFER ?? ^(X-)?Received: from source \(\[[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\]\) (\(using TLSv1\) )?\ by exprod[0-9]+mx[0-9]+\.postini\.com \(\[[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\]\) with SMTP { :0 * LOCALBUFFER ?? ^(X-)?Received: from source \(\[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\) (\(using TLSv1\) )?\ by \/[a-zA-Z0-9.-]+ { LOCALRECEIVER=${MATCH} } } # MICROSOFT EXCHANGE # # Check to see of the Received: line was generated by Microsoft # Exchange, and if it was, extract the necessary information. # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * LOCALBUFFER ?? ^(X-)?Received: from ([a-z0-9][-_a-z0-9.]+@)?\ ([a-z0-9][-_a-z0-9.]+ )?\ \(\[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\) \ by ([a-z0-9][-_a-z0-9.]+@)?[a-z0-9][-_a-z0-9.]+ .*\ with Microsoft SMTPSVC[^0-9a-z].*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from \/([a-z0-9][-_a-z0-9.]+@)?\ ([a-z0-9][-_a-z0-9.]+ )?\ \(\[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\) \ by ([a-z0-9][-_a-z0-9.]+@)?[a-z0-9][-_a-z0-9.]+ .*\ with Microsoft SMTPSVC[^0-9a-z].*$ { STRING=${MATCH} :0 * STRING ?? ^\(\[[0-9][0-9]?[0-9]?\. { LOCALSENDER=host\.example\.com } :0 * ! STRING ?? ^\(\[[0-9][0-9]?[0-9]?\. { LOCALSENDER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from ([a-z0-9][-_a-z0-9.]+@)?\ ([a-z0-9][-_a-z0-9.]+ )?\ \(\[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\) \ by \/([a-z0-9][-_a-z0-9.]+@)?[a-z0-9][-_a-z0-9.]+ .*\ with Microsoft SMTPSVC[^0-9a-z].*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*$//'` } } } # QMAIL (non-LDAP) # # Check to see if the Received: line was generated by Qmail, and # if it was, extract the necessary information. # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ (\((HELO|ELHO) (\[)?[0-9a-z][-_0-9a-z.]+(\])?\) )?\ \(([a-z0-9][-_a-z0-9.@]+( )?)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\).*by \ [0-9a-z][-_0-9a-z.]+ .*with .*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from \/[0-9a-z][-_0-9a-z.]+ \ (\((HELO|ELHO) (\[)?[0-9a-z][-_0-9a-z.]+(\])?\) )?\ \(([a-z0-9][-_a-z0-9.@]+( )?)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\).*by \ [0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 * STRING ?? ^(\((HELO|ELHO) |(\()[0-9][0-9]?[0-9]?\.) { LOCALSENDER=host\.example\.com } :0 * ! STRING ?? ^(\((HELO|ELHO) |(\()[0-9][0-9]?[0-9]?\.) { LOCALSENDER=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z.]* .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ \((HELO|ELHO) (\[)?\/[0-9a-z][-_0-9a-z.]+(\])?\) \ \(([a-z0-9][-_a-z0-9.@]+( )?)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\).*by \ [0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 { LOCALHELO=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ (\((HELO|ELHO) (\[)?[0-9a-z][-_0-9a-z.]+(\])?\) )?\ \(([a-z0-9][-_a-z0-9.@]+( )?)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\).*by \ \/[0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } } # QMAIL (LDAP 103) # # Check to see if the Received: line was generated by Qmail, and # if it was, extract the necessary information. # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ \((HELO|ELHO) (\[)?[0-9a-z][-_0-9a-z.]+(\])?\) \ \(([a-z0-9][-_a-z0-9.@]+( )?)?\ (\[)[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?(\])\).*by \ [0-9a-z][-_0-9a-z.]+ .*with .*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from \/[0-9a-z][-_0-9a-z.]+ \ \((HELO|ELHO) (\[)?[0-9a-z][-_0-9a-z.]+(\])?\) \ \(([a-z0-9][-_a-z0-9.@]+( )?)?\ (\[)[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?(\])\).*by \ [0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 * STRING ?? ^(\((HELO|ELHO) |(\[)[0-9][0-9]?[0-9]?\.) { LOCALSENDER=host\.example\.com } :0 * ! STRING ?? ^(\((HELO|ELHO) |(\[)[0-9][0-9]?[0-9]?\.) { LOCALSENDER=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ \((HELO|ELHO) (\[)?\/[0-9a-z][-_0-9a-z.]+(\])?\) \ \(([a-z0-9][-_a-z0-9.@]+( )?)?\ (\[)[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?(\])\).*by \ [0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 { LOCALHELO=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ \((HELO|ELHO) (\[)?[0-9a-z][-_0-9a-z.]+(\])?\) \ \(([a-z0-9][-_a-z0-9.@]+( )?)?\ (\[)[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?(\])\).*by \ \/[0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } } # EXIM (WITH VALID RDNS) # # Exim can generate two different types of headers; what it will # do appears to depend on whether the sending IP has a valid rDNS. # Check to see if the Received: line was generated by Exim *with* # valid rDNS on the IP. # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * LOCALBUFFER ?? ^(X-)?Received: from ([a-z0-9][-_a-z0-9.]+ )?\ \(\[([a-z0-9][-_a-z0-9.]+@)?[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\ (:[0-9]+)?( helo=(\[)?[a-z0-9][-_a-z0-9.]+)?\).*\ by [a-z0-9][-_a-z0-9.]+ with.*\(Exim[^a-z].*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from \/([a-z0-9][-_a-z0-9.]+ )?\ \(\[([a-z0-9][-_a-z0-9.]+@)?[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\ (:[0-9]+)?( helo=(\[)?[a-z0-9][-_a-z0-9.]+)?\).*\ by [a-z0-9][-_a-z0-9.]+ with.*\(Exim[^a-z].*$ { STRING=${MATCH} :0 * STRING ?? ^\(\[[0-9][0-9]?[0-9]?\. { LOCALSENDER=host\.example\.com } :0 * ! STRING ?? ^\(\[[0-9][0-9]?[0-9]?\. { LOCALSENDER=`${ECHO} "${STRING}" | ${SED} -e 's/ [(][[].*$//' -e 's/^[^0-9a-z]*//' -e 's/[^0-9a-z]*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from ([a-z0-9][-_a-z0-9.]+ )?\ \(\[([a-z0-9][-_a-z0-9.]+@)?[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\ (:[0-9]+)? helo=(\[)?\/[a-z0-9][-_a-z0-9.]+\).*\ by [a-z0-9][-_a-z0-9.]+ with.*\(Exim[^a-z].*$ { STRING=${MATCH} :0 { LOCALHELO=`${ECHO} "${STRING}" | ${SED} -e 's/[)].*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from ([a-z0-9][-_a-z0-9.]+ )?\ \(\[([a-z0-9][-_a-z0-9.]+@)?[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\ (:[0-9]+)?( helo=(\[)?[a-z0-9][-_a-z0-9.]+)?\).*\ by \/[a-z0-9][-_a-z0-9.]+ with.*\(Exim[^a-z].*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*$//'` } } } # EXIM (WITHOUT VALID RDNS) # # Check to see if the Received: line was generated by Exim *without* # valid rDNS for the sending IP. # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * LOCALBUFFER ?? ^(X-)?Received: from \[([a-z0-9][-_a-z0-9.]+@)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\] \ \((port=[0-9]+ )?helo=(\[)?[a-z0-9][-_a-z0-9.]+(\])?\).*\ by [a-z0-9][-_a-z0-9.]+ with .*\(Exim[^a-z].*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from \[([a-z0-9][-_a-z0-9.]+@)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\] \ \((port=[0-9]+ )?helo=(\[)?\/[a-z0-9][-_a-z0-9.]+(\])?\).*\ by [a-z0-9][-_a-z0-9.]+ with .*\(Exim[^a-z].*$ { STRING=${MATCH} LOCALSENDER='unknown' :0 { LOCALHELO=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from \[([a-z0-9][-_a-z0-9.]+@)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\] \ \((port=[0-9]+ )?helo=(\[)?\/[a-z0-9][-_a-z0-9.]+(\])?\).*\ by \/[a-z0-9][-_a-z0-9.]+ with .*\(Exim[^a-z].*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } } # SENDMAIL/POSTFIX # # Check to see if the Received: line was generated by Postfix # or Sendmail, and if it was, extract the necessary information. # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * ! LOCALBUFFER ?? ^Received: from .*\(Exim * LOCALBUFFER ?? ^(X-)?Received: from (\[)?[0-9a-z][-_0-9a-z.]+(\])? \ \((((IDENT:)?([0-9a-z][-_0-9a-z.]+@)?\ (([0-9a-z][-_0-9a-z]*\.)+[a-z][a-z][a-z]?[a-z]? )?)|localhost |unknown )?\ \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\ ( \(may be forged\))?\)(.*$)?.*by(.*$)?.*[0-9a-z][-_0-9a-z.]+ .*with .*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from (\[)?[0-9a-z][-_0-9a-z.]+(\])? \ \((((IDENT:)?([0-9a-z][-_0-9a-z.]+@)?\ ()\/(([0-9a-z][-_0-9a-z]*\.)+[a-z][a-z][a-z]?[a-z]? )?)|localhost |unknown )?\ \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\ ( \(may be forged\))?\)(.*$)?.*by(.*$)?.*[0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 * STRING ?? ^\[[0-9][0-9]?[0-9]?\. { LOCALSENDER=host\.example\.com } :0 * ! STRING ?? ^\[[0-9][0-9]?[0-9]?\. { LOCALSENDER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*$//' -e 's/^[^0-9A-Za-z]*//' -e 's/[^0-9A-Za-z]*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from (\[)?\/[0-9a-z][-_0-9a-z.]+(\])? \ \((((IDENT:)?([0-9a-z][-_0-9a-z.]+@)?\ (([0-9a-z][-_0-9a-z]*\.)+[a-z][a-z][a-z]?[a-z]? )?)|localhost |unknown )?\ \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\ ( \(may be forged\))?\)(.*$)?.*by(.*$)?.*[0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 { LOCALHELO=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from (\[)?[0-9a-z][-_0-9a-z.]+(\])? \ \((((IDENT:)?([0-9a-z][-_0-9a-z.]+@)?\ (([0-9a-z][-_0-9a-z]*\.)+[a-z][a-z][a-z]?[a-z]? )?)|localhost |unknown )?\ \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\]\ ( \(may be forged\))?\)(.*$)?.*by(.*$)?.*\/[0-9a-z][-_0-9a-z.]+ .*with .*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } } # MyRealBox # # Check to see if the Received: line was generated by MyRealBox, # and if so extract what information you can. # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ (not authenticated )?\ \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\].*\ by ([0-9a-z][-_0-9a-z]+\.)+myrealbox\.com with NetMail.*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from \/[0-9a-z][-_0-9a-z.]+ (not authenticated )?\ \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\].*\ by ([0-9a-z][-_0-9a-z]+\.)+myrealbox\.com with NetMail.*$ { STRING=${MATCH} :0 * STRING ?? not authenticated { LOCALSENDER="unknown" } :0 * STRING ?? ^\[[0-9][0-9]?[0-9]?\. { LOCALSENDER=host\.example\.com } :0 * ! LOCALSENDER ?? ^(host\.example\.com|unknown)$ { LOCALSENDER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ (not authenticated )?\ \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\].*\ by \/([0-9a-z][-_0-9a-z]+\.)+myrealbox\.com with NetMail.*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*$//'` } } } # WEBMAIL # # Check to see if the Received: line was generated by a webmail # server of some type, and get what information you can. (Won't # be much, but hey.) # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * ! LOCALBUFFER ?? ^Received: from .*\(Exim * LOCALBUFFER ?? ^(X-)?Received: from ((\[)?[0-9a-z][-_0-9a-z.]+(\])? )?\ \([0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\).*by [0-9a-z][-_0-9a-z.]+;.*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from ((\[)?\/[0-9a-z][-_0-9a-z.]+(\])? )?\ \([0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\).*by [0-9a-z][-_0-9a-z.]+;.*$ { STRING=${MATCH} LOCALSENDER='unknown' :0 { LOCALHELO=`${ECHO} "${STRING}" | ${SED} -e 's/[^0-9A-Za-z]* .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from ((\[)?[0-9a-z][-_0-9a-z.]+(\])? )?\ \([0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\).*by \/[0-9a-z][-_0-9a-z.]+;.*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/[^_0-9A-Za-z.-].*$//'` } } } # SQUIRRELMAIL # # Check to see if the Received: line was generated by a SquirrelMail # webmail server, and get what information you can. # :0 * LOCALSENDER ?? ^host\.example\.com$ * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * ! LOCALBUFFER ?? ^Received: from .*\(Exim * LOCALBUFFER ?? ^(X-)?Received: from [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]? .*\ \(SquirrelMail .*\ by [0-9a-z][-_0-9a-z.]+[^-_0-9a-z.+]*.*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]? .*\ \(SquirrelMail .*\ by \/[0-9a-z][-_0-9a-z.]+[^-_0-9a-z.+]*.*$ { STRING=${MATCH} LOCALSENDER='unknown' :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/[^_0-9A-Za-z.+-]*.*$//'` } } } # WEBMAIL #2 # # Check to see if the Received: line was generated by a minimal # webmail server of some type, and get what information you can. # (Won't be much, but hey.) # :0 * LOCALSENDER ?? ^host\.example\.com$ * ! LOCALBUFFER ?? ^Received: from .*\(Exim * LOCALHELO ?? ^host\.example\.com$ * LOCALRECEIVER ?? ^host\.example\.com$ * LOCALBUFFER ?? ^(X-)?Received: from \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\].*\ by [0-9a-z][-_0-9a-z.]+[^-_0-9a-z.+]*.*$ { :0 * LOCALBUFFER ?? ^(X-)?Received: from \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\].*\ by \/[0-9a-z][-_0-9a-z.]+[^-_0-9a-z.+]*.*$ { STRING=${MATCH} LOCALSENDER='unknown' :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/[^_0-9A-Za-z.+-]*.*$//'` } } } # YAHOO WEBMAIL # # Check to see if the Received: line was generated by Yahoo, and # get the info from it. # :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ (\(HELO [0-9a-z][-_0-9a-z.]+\) )?\ .*\(([0-9a-z][-_0-9a-z.]+@)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]? \ with login\) { :0 * LOCALBUFFER ?? ^(X-)?Received: from \/[0-9a-z][-_0-9a-z.]+ \ (\(HELO [0-9a-z][-_0-9a-z.]+\) )?\ .*\(([0-9a-z][-_0-9a-z.]+@)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]? \ with login\).*by ([0-9a-z][-_0-9a-z]+\.)+yahoo\.com.*$ { STRING=${MATCH} :0 * STRING ?? ^\([0-9][0-9]?[0-9]?\. { LOCALSENDER=host\.example\.com } :0 * STRING ?? ^\(HELO { LOCALSENDER=host\.example\.com } :0 * ! LOCALSENDER ?? ^host\.example\.com$ { LOCALSENDER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ \(HELO \/[0-9a-z][-_0-9a-z.]+\) \ .*\(([0-9a-z][-_0-9a-z.]+@)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]? \ with login\).*by ([0-9a-z][-_0-9a-z]+\.)+yahoo\.com.*$ { STRING=${MATCH} :0 { LOCALHELO=`${ECHO} "${STRING}" | ${SED} -e 's/) .*$//'` } } :0 * LOCALBUFFER ?? ^(X-)?Received: from [0-9a-z][-_0-9a-z.]+ \ (\(HELO [0-9a-z][-_0-9a-z.]+\) )?\ .*\(([0-9a-z][-_0-9a-z.]+@)?\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.\ [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]? \ with login\).*by \/([0-9a-z][-_0-9a-z]+\.)+yahoo\.com.*$ { STRING=${MATCH} :0 { LOCALRECEIVER=`${ECHO} "${STRING}" | ${SED} -e 's/ .*$//'` } } } # End condition "If LOCALIP found". }