# Examine the current header, stripping off all preceding ones. # We return the variable TEST containing the handoff Received: header to our ISP. TEST="${NEXTHEADER}" :0 * TEST ?? R\/eceived:.* { TEST=R${MATCH} } # Look for forged Received: headers with "for address;" where "address" isn't mine. :0fh * ! ^Mailing-List: [0-9a-z @.-]+; run by ezmlm$ *$! TEST ?? ^Received: .*[ ]for[ ]+.*${MYNAMES} * ! TEST ?? ^Received: .*[ ]with http for[ ]+ * ! TEST ?? ^Received: .*[ ][(]IMP[)] with HTTP * ! TEST ?? ^Received: .*[ ]with InterScan Messaging Security Suite for SMTP; * TEST ?? ^Received: .*[ ]for[ ]+\/[^ ;]+( [(]single-drop[)])?; * ! TEST ?? ^Received: from cookie\.untd\.com by cookie\.untd\.com for [<]\"[A-Z0-9+=]+\"[>]; | formail -A "X-Reject: (100) Forged \`Received: for ${MATCH}' header" # Look for forgery of our own mail server name by the spammer (sendmail version) :0 *$ TEST ?? ^Received: from.* +\/${MYHOST} .*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*[ ]by[ ] *$! TEST ?? ^Received: from.* +${MYHOST} .*\[${MYIP}\].*[ ]by[ ] { # Remember what we've found FORGERY=${MATCH} # Work out the IP address the forger used :0 * FORGERY ?? ()\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { FORGER=${MATCH} } # Work out the hostname the forger used :0 *$ FORGERY ?? ()\/${MYHOST} { FORGERY=${MATCH} } # Remove the forged hostname from the Received: header so that we can # go on to correctly identify the handoff header. TEST=`echo $TEST | gawk '{ IGNORECASE=1; sub("'${FORGERY}'", "FORGED-MY-HOSTNAME") } { print }'` :0fh | formail -A "X-Reject: (100) ${FORGER} forged ${FORGERY} in Received: header (sendmail)" } # Look for forgery of our own mail server name by the spammer (Exim version) :0 *$ TEST ?? ^Received: from.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\] [(]helo=${MYHOST}[)] *$! TEST ?? ^Received: from.*\[${MYIP}\] [(]helo=${MYHOST}[)] { # Remember what we've found FORGERY=${MATCH} FORGER=${MATCH} # Work out the IP address the forger used :0 * FORGER ?? ^()\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { FORGER=${MATCH} # Work out the hostname the forger used, and temporarily substitute it in the headers :0fh *$ FORGERY ?? helo=\/${MYHOST} | gawk '/^Received: .*\['${FORGER}'\]/ { IGNORECASE=1; sub("helo='${MYHOST}'", "helo=FORGED-MY-HOSTNAME") } { print }' FORGERY=${MATCH} :0fh | formail -A "X-Reject: (100) ${FORGER} forged ${FORGERY} in Received: header (Exim)" # Remove the forged hostname from the Received: header so that we can # go on to correctly identify the handoff header. TEST=`echo $TEST | gawk '{ IGNORECASE=1; sub("'${FORGERY}'", "FORGED-MY-HOSTNAME") } { print }'` } } # Look for forged localhost Received: header (sendmail version) :0 * TEST ?? ^Received: from.*localhost(\.[A-Z0-9.-]*)? .*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*[ ]by[ ].* *! TEST ?? ^Received: from.*localhost(\.[A-Z0-9.-]*)? .*\[127\.0\.0\.1\].*[ ]by[ ].* { FORGER=${MATCH} :0fh * FORGER ?? ()\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | gawk '/'${MATCH}'/ { IGNORECASE=1; gsub("localhost", "FORGED-LOCALHOST") } { print }' FORGER=${MATCH} :0fh | formail -A "X-Reject: (40) ${FORGER} forged localhost in sendmail Received: header" # Remove the forged hostname from the Received: header so that we can # go on to correctly identify the handoff header. TEST=`echo $TEST | gawk '{ IGNORECASE=1; sub("localhost", "FORGED-LOCALHOST") } { print }'` } # Look for forged localhost Received: header (Exim version) :0 * TEST ?? ^Received: from.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\] [(]helo=localhost.*[)] *! TEST ?? ^Received: from.*\[127\.0\.0\.1\] [(]helo=localhost.*[)] { FORGER=${MATCH} :0fh * FORGER ?? ()\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | gawk '/'${MATCH}'/ { IGNORECASE=1; gsub("localhost", "FORGED-LOCALHOST") } { print }' FORGER=${MATCH} :0fh | formail -A "X-Reject: (40) ${FORGER} forged localhost in Exim Received: header" # Remove the forged hostname from the Received: header so that we can # go on to correctly identify the handoff header. TEST=`echo $TEST | gawk '{ IGNORECASE=1; sub("localhost", "FORGED-LOCALHOST") } { print }'` } # Look for the hand-off header :0 * ! IPEXTERNAL ?? ////// *$ TEST ?? Received: from.*\[.*\].*by.*${ISPCHECK} *$! TEST ?? Received: from.*${ISPCHECK}.*\[.*\] * TEST ?? Received:.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { # We've found the handoff header, proceed as normal IPEXTERNAL="//////" HANDOFF="${TEST}" } # qmail has different headers so here's a version that works there :0E * ! IPEXTERNAL ?? ////// *$ TEST ?? Received: from.*\((.*@)?[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\).*by.*${ISPCHECK} *$! TEST ?? Received: from.*${ISPCHECK}.*\(.*\).*by { # We've found the handoff header, proceed as normal IPEXTERNAL="//////" HANDOFF="${TEST}" } # Now examine the next Received: header. # We continue after the handoff header in order to look for forgeries. FINALPATTERN="${INSERT}${FINALPATTERN}" PATTERN="${INSERT}${PATTERN}" NEXTHEADER="//////" :0 *$ ${PATTERN} { NEXTHEADER=${MATCH} } :0 * NEXTHEADER ?? Received: from .*[[(].*[])].*by.* { INCLUDERC=rcvdrc } # Finished processing Received: headers, restore TEST to the handoff header and return. :0E { TEST="${HANDOFF}" }