> Received: from 64.239.129.105 ([::ffff:219.144.149.91])
> From: "Trina Parr" <[EMAIL PROTECTED]>
>
> where in Received: 1st ip is my mx, but 2nd is spammers host
> and in From: name is some arbitrary name with my email address
>
> is it possible to make regex in local.cf that would check that both ips in
Received are the same?
Yes, but it can get tricky, because there are so many received formats.
A very simple test could be something like
/64\.239\.129\.105 \(\[(?!64\.239\.129\.105).{1,20}\]\)/
Assuming I typed that right it will check for a double-dotquad format where
the second doesn't match and the first one matches. Of course you could
have a hostname between the ([ characters, so you really should handle that
somehow. Perhaps insert a [\w\.]{0,50} ir the like there.
I've got a cold and am not thinking too clearly at the moment, so I don't
know how many legit things that might declare to be bogus. You could try it
with a real low score and see what sort of things it hits on. Maybe it
would work for you.
Loren
