mattsh Posted April 7, 2004 Share Posted April 7, 2004 Hi, I'm trying to match the sending mail server in mail headers and parse it into a variable. I'm using PHP. The problem I'm running into is that there seems to be no standard for headers. Basically the line looks like: Received: from unknown (HELO Alyon-112-2-3-4.someisp.com) (63.174.243.2) by mail.receivingisp.com with SMTP; The issue I have is parsing out that IP address... I'm currently using regular expressions. Also, it seems there is no standard so sometimes the header will be: (x.x.x.x) other times [x.x.x.x] other time ([x.x.x.x]). So.. I could parse for just an IP... however... spammers seem to like to forge the HELO header often with the receiving mail server!!! This results in MY mailserver getting added to my blacklist. EXAMPLE: Received: (qmail 12181 invoked from network); 6 Apr 2004 14:12:27 -0000 Received: from unknown (HELO 63.174.254.3) (207.36.226.195) by mail.homegrownhost.net with SMTP; 6 Apr 2004 14:12:27 -0000 Date: Tue, 06 Apr 2004 10:11:04 -0500 Message-Id: <10604-47326-86[at]luckydeals6.com> From: "4 Phones" To: Subject: Complimentary Cell Phone Upgrade That 63.174.254.3 is forged into the headers, but matching only for an IP on the receive line will cause 63.174.254.3 to be grabbed instead of the 207 address. Basically, I need a way to solidly identify the IP without accidentally identifying false IPs. Obviously it can be done because lots of places do it (ie spamcop).. but what is the criteria that is searched for? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 7, 2004 Share Posted April 7, 2004 I'm trying to match the sending mail server in mail headers and parse it into a variable. Are you doing this on the server side or on a client? If you are doing it on a server, the mail headers for the server connecting to yours should all be the same as it is your server placing them there. Also, it seems there is no standard There are standards called RFC'c. Some servers do not follow those standards. This is one of the reasons that Julian requires RFC compliant headers. Link to comment Share on other sites More sharing options...
mattsh Posted April 7, 2004 Author Share Posted April 7, 2004 'Some servers do not follow these standards'. Yes.. like the people sending spam =) For instance in the headers: Received: (qmail 12181 invoked from network); 6 Apr 2004 14:12:27 -0000 Received: from unknown (HELO 65.173.15.3) (207.36.226.195) by mail.homegrownhost.net with SMTP; 6 Apr 2004 14:12:27 -0000 Date: Tue, 06 Apr 2004 10:11:04 -0500 Message-Id: <10604-47326-86[at]luckydeals6.com> From: "4 Phones" They have spoofed the HELO line to be my mail server's IP (65.173.15.3).. so for that reason I can't just parse for an IP after Received: from I could look for the first occurrance of an IP followed by ) ie 207.36.226.195), however many mail servers seem to use [] others ([]) some just [].. no standard seems to be in place for the headers. I am doing this client side (ie reading the mail messages... ) and while I understand doing it server side will give me information direct.... the issue is that I'm trying to allow people to dump spam they have received into a blacklist for the ISP I'm working for (and presumably some of them may be putting spam in that didn't come from us). Link to comment Share on other sites More sharing options...
Wazoo Posted April 7, 2004 Share Posted April 7, 2004 once again, apologies for the lack of a better spot, but am moving this to the Lounge, as it has nothing to do with SpamCop's filtered e-mail service. Link to comment Share on other sites More sharing options...
mattsh Posted April 7, 2004 Author Share Posted April 7, 2004 I was going to post int he lounge.. however.. didn't because it says don't post anyhthing about spam fighting there Link to comment Share on other sites More sharing options...
turetzsr Posted April 7, 2004 Share Posted April 7, 2004 I was going to post int he lounge.. however.. didn't because it says don't post anyhthing about spam fighting there ...Good point! Attn: moderators -- can you please clarify? Link to comment Share on other sites More sharing options...
Miss Betsy Posted April 7, 2004 Share Posted April 7, 2004 I am not a moderator, but I was in the initial discussion. It makes it very confusing and intimidating for newcomers looking for simple answers to read posts like this. What we need is a Help Forum; a Why Am I blocked Forum; and a General Discussion Forum where anything can be discussed (or chatted about). Since few people have used the Lounge to just hang out, the consensus of that discussion was that anything that was not spamcop user help or why am I blocked would be moved to the Lounge. However, as was mentioned earlier there are only certain people who can make changes like what is in the description of the different forums and they have mostly ignored what is happening here for a long time. So it is custom, I guess you could say. The news groups are self moderated so those of us who have used the newsgroups are used to creating our own guidelines. That's my understanding of what is going on. Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted April 8, 2004 Share Posted April 8, 2004 I was going to post int he lounge.. however.. didn't because it says don't post anyhthing about spam fighting there ...Good point! Attn: moderators -- can you please clarify? Not sure what I can clarify vice what's been posted over tte time this thing has ran. JT is the one that set up the present layout and he's the only one empowered to make the types of structural changes that have been asked for. As Miss Betsy pointed out, there have been many discussions that included adding in more sections (and the FAQ thing has been a bit of an issue forever, even the FAQ-o-matic thing that's never been anywhere near up to date / complete/ etc. over on the web pages has been an issue for years) So, just doing the best I can do within the framework allowed ... Link to comment Share on other sites More sharing options...
turetzsr Posted April 8, 2004 Share Posted April 8, 2004 I was going to post int he lounge.. however.. didn't because it says don't post anyhthing about spam fighting there ...Good point! Attn: moderators -- can you please clarify? Not sure what I can clarify vice what's been posted over tte time this thing has ran. JT is the one that set up the present layout and he's the only one empowered to make the types of structural changes that have been asked for. As Miss Betsy pointed out, there have been many discussions that included adding in more sections (and the FAQ thing has been a bit of an issue forever, even the FAQ-o-matic thing that's never been anywhere near up to date / complete/ etc. over on the web pages has been an issue for years) So, just doing the best I can do within the framework allowed ... ...Clarification I was requesting was whether it is appropriate to post items relating to fighting spam to the Lounge even though the comments say that it is for "pretty much anything except SpamCop and spam fighting." If so, then that description should be changed (I understand that it might be something only JT can do -- if so, has anyone asked?). ...No structural changes involved, here. Link to comment Share on other sites More sharing options...
jcrm Posted April 14, 2004 Share Posted April 14, 2004 rfc2821 (not itself a standard) proposes a syntax, but as this was "only" written in 2001, and the last release of qmail was made in 1998 this isn't going to help. you will end up with a cascade of regular expressions if you know all your candidate headers are coming from qmail, then the regexp is something like ^Received:\s+From\s+(\S*)\s+(\(HELO\s+(\S*)\)\s+)?\(((\S+)[at])?\[?((([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\]?\)\s+by\s+(\S+)\s+with\s+\S+(\s+for\s+\S+)\s*;\s+((1|2)[0-9]|[1-9])\s+[A-Z][a-z]+\s+[0-9]{4}\s+[-+][0-9]{4}\s+$ where \1 is the reverse lookup, \3 is the given name if any, \5 the ident response and \6 the ip address. I can't remember any patches to add ID or VIA information to the header so I have not included them to "keep it simple" for a modernish sendmail you have ^Received:\s+from\s+(\S*)\s+\(((IDENT:)?(\S+)[at])?(\S*)\s+\[?((([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\]?\)\s+by\s+(\S+)\s+with\s+\S+(\s+id\s+\S+)(\s+for\s+\S+)\s*;\s+[A-Z][a-z]+,\s+((1|2)[0-9]|[1-9])\s+[A-Z][a-z]+\s+[0-9]{4}\s+([A-Z]+|[-+][0-9]{4})\s+$ where \1 is the given name or the reverse lookup if no name given, \4 the ident response, \5 the reverse lookup and \6 the ip address. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.