> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Phil Pennock > Sent: Friday, January 11, 2008 8:27 PM > To: Craig Jackson > Cc: [email protected] > Subject: Re: [exim] Loopp through IP addresses in received header > > On 2008-01-11 at 09:47 -0600, Craig Jackson wrote: > > I'd like to loop through all of the IP addresses in the > received headers > > and check each one to see if that address is in a list of address > > blocks, like 12.23.0.0/16 : 34.56.67.0/24 : 1.6.0.0/8 > > Exim 4.67 or more recent, to get the map, filter, reduce etc > operators? > > List of all IP addresses in Received: headers: > ${filter{<\n > ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N }{\$1}}}{isip{$item}}} > > The core of this is: > > ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N}{\$1}} > > If I save your email (the one I'm replying to) to a file called > "fred1.eml" and then run "exim -bem fred1.eml" (for > sufficiently recent > Exim to support the -bem option) then I can do: > > > > ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N}{\$1}} > > 2001:630:200:8080:204:23ff:fed6:b664 > 127.0.0.1 > 72.245.64.135 > > > > > The blank lines are for the outside parts; the filter just > reduces this > to IP addresses, removing blank lines and acting as a sanity check > against anything spuriously caught; there's an assumption that all IP > addresses are in square brackets. > > You can put your list of address blocks into a "hostlist"; my Exim > config happens to have one called "bad_host_addresses" defined as: > hostlist bad_host_addresses = <; 0.0.0.0 ; 127.0.0.0/8 ; :: > so purely for my own convenience I'll use that as an example for > extracting an address from that list. > > ${filter{<\n ${filter{<\n > ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N }{\$1}}}{isip{$item}}}}{match_ip{$item}{+bad_host_addresses}}} > > Testing, I see: > > ${filter{<\n ${filter{<\n > ${sg{$h_received:}{\N(?m:^[^[]+(?:\[([0-9A-Fa-f:.]+)\])?.+$)\N }{\$1}}}{isip{$item}}}}{match_ip{$item}{+bad_host_addresses}}} > 127.0.0.1 > > > > Breaking that down, splitting into components for readability, etc, is > left as an exercise for the reader. > > Regards, > -Phil > > --
Wow. Thanks, Phil. That's exactly what I needed. I have the host address block list in a Mysql database. This has cut out 90% of our spam. But occasionally spammers are good enough to send mail through "trusted" servers". That's where this little rule will help. Craig -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
