Grepular

Exim Trick to Extract Received Header IP Addresses

Written 14 years ago by Mike Cardwell

There are cases where you want to extract all of the IP addresses from an emails Received headers in order to perform spam related lookups against them. Tools like SpamAssassin have this capability built in, but Exim doesn’t have a simple string expansion to do this. Here’s how I do it in Exim:

1. warn set acl_m0 = ${sg{$h_Received:}{\N\n[ \t]\N}{ }}
2.      set acl_m0 = ${map{<\n$acl_m0}{${if match{$item}{\N\[([^\]]+)\]\N}{$1}}}}
3.      set acl_m0 = ${filter{<\n$acl_m0}{isip4{$item}}}
4.      set acl_m0 = ${filter{<\n$acl_m0}{!match{$item}{\N^(127|10|192\.168|172\.(1[6-9]|2[0-9]|3[01]))\.\N}}}
5.      set acl_m0 = ${filter{<\n$acl_m0}{!eq{$item}{$sender_host_address}}}

The above will only work in the acl_smtp_data ACL. Earlier ACL’s wont have access to the Received headers. A description of what each line above means:

  1. Get a newline separated list of Received headers

  2. For each Received header, strip out everything other than the contents enclosed within square brackets

  3. Keep only valid IPv4 addresses. I’m not interested in IPv6 for this. If you are, use isip6 or isip for both

  4. Remove RFC1918 private network addresses like 127.x.x.x and 192.168.x.x etc (optional)

  5. Remove the actual client IP address from the list (optional)

Now you have the newline separated list of IPs, you can process them in many different ways using Exims various lookup methods. For an example, you might want to look them up against the SpamHaus DNSBL. Here’s how you’d to that:

deny dnslists = zen.spamhaus.org!=127.0.0.10,127.0.0.11/<\n$acl_m0
     message  = $dnslist_matched is listed on $dnslist_domain with value $dnslist_value

I’ve explicitly excluded the 127.0.0.10 and 127.0.0.11 results for an extremely important reason. Those are results which specify that an IP address is listed on the PBL. You don’t want to look up IP addresses in Received headers against lists which are used to detect residential IPs; Received headers legitimately contain the IP addresses of home users when they connect to their ISPs smarthost. If you blindly look up these IPs against DNSBLs without understanding in detail what those DNSBLs list, then you will block lots and lots of legitimate mail.

Want to leave a tip?BitcoinMoneroZcashPaypalYou can follow this Blog using RSS. To read more, visit my blog index.