File Coverage

blib/lib/Mail/SpamAssassin/Message/Metadata/Received.pm
Criterion Covered Total %
statement 538 734 73.3
branch 284 388 73.2
condition 55 83 66.2
subroutine 11 11 100.0
pod 0 4 0.0
total 888 1220 72.7


line stmt bran cond sub pod time code
1             # <@LICENSE>
2             # Licensed to the Apache Software Foundation (ASF) under one or more
3             # contributor license agreements. See the NOTICE file distributed with
4             # this work for additional information regarding copyright ownership.
5             # The ASF licenses this file to you under the Apache License, Version 2.0
6             # (the "License"); you may not use this file except in compliance with
7             # the License. You may obtain a copy of the License at:
8             #
9             # http://www.apache.org/licenses/LICENSE-2.0
10             #
11             # Unless required by applicable law or agreed to in writing, software
12             # distributed under the License is distributed on an "AS IS" BASIS,
13             # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14             # See the License for the specific language governing permissions and
15             # limitations under the License.
16             # </@LICENSE>
17              
18             # ---------------------------------------------------------------------------
19              
20             # So, what's the difference between a trusted and untrusted Received header?
21             # Basically, relays we *know* are trustworthy are 'trusted', all others after
22             # the last one of those are 'untrusted'.
23             #
24             # We determine trust by detecting if they are inside the network ranges
25             # specified in 'trusted_networks'. There is also an inference algorithm
26             # which determines other trusted relays without user configuration.
27             #
28             # There's another type of Received header: the semi-trusted one. This is the
29             # header added by *our* MX, at the boundary of trust; we can trust the IP
30             # address (and possibly rDNS) in this header, but that's about it; HELO name is
31             # untrustworthy. We just use this internally for now.
32             #
33             # Finally, there's also 'internal_networks'. These are the networks that you
34             # control; your MXes should be included. This way, if you specify a wide range
35             # of trusted hosts, a mail that is relayed from a dynamic IP address via a
36             # 'trusted' host will not hit RCVD_IN_DYNABLOCK.
37              
38             # ---------------------------------------------------------------------------
39              
40 40     40   273 use strict; # make Test::Perl::Critic happy
  40         102  
  40         1915  
41             package Mail::SpamAssassin::Message::Metadata::Received; 1;
42              
43             package Mail::SpamAssassin::Message::Metadata;
44 40     40   237 use strict;
  40         105  
  40         948  
45 40     40   221 use warnings;
  40         102  
  40         1427  
46             # use bytes;
47 40     40   245 use re 'taint';
  40         101  
  40         1354  
48              
49 40     40   11930 use Mail::SpamAssassin::Dns;
  40         356  
  40         3619  
50 40     40   420 use Mail::SpamAssassin::PerMsgStatus;
  40         167  
  40         1609  
51 40     40   356 use Mail::SpamAssassin::Constants qw(:ip);
  40         157  
  40         282482  
52              
53             # ---------------------------------------------------------------------------
54              
55             sub parse_received_headers {
56 102     102 0 400 my ($self, $permsgstatus, $msg) = @_;
57              
58 102         320 my $suppl_attrib = $msg->{suppl_attrib}; # out-of-band info from a caller
59              
60             # a caller may assert that a message is coming from inside or from an
61             # authenticated roaming users; this info may not be available in mail
62             # header section, e.g. in case of nonstandard authentication mechanisms
63 102         647 my $originating; # boolean
64 102 100       378 $originating = $suppl_attrib->{originating} if ref $suppl_attrib;
65              
66 102         504 $self->{relays_trusted} = [ ];
67 102         388 $self->{num_relays_trusted} = 0;
68 102         412 $self->{relays_trusted_str} = '';
69              
70 102         365 $self->{relays_untrusted} = [ ];
71 102         363 $self->{num_relays_untrusted} = 0;
72 102         564 $self->{relays_untrusted_str} = '';
73              
74 102         433 $self->{relays_internal} = [ ];
75 102         362 $self->{num_relays_internal} = 0;
76 102         431 $self->{relays_internal_str} = '';
77              
78 102         355 $self->{relays_external} = [ ];
79 102         598 $self->{num_relays_external} = 0;
80 102         439 $self->{relays_external_str} = '';
81              
82 102         333 $self->{num_relays_unparseable} = 0;
83              
84 102         500 $self->{last_trusted_relay_index} = -1; # last counting from the top,
85 102         343 $self->{last_internal_relay_index} = -1; # first in time
86              
87 102         314 $self->{allow_mailfetch_markers} = 1; # This needs to be set for the
88             # first Received: header
89             # now figure out what relays are trusted...
90 102         743 my $trusted = $permsgstatus->{main}->{conf}->{trusted_networks};
91 102         264 my $internal = $permsgstatus->{main}->{conf}->{internal_networks};
92 102         267 my $msa = $permsgstatus->{main}->{conf}->{msa_networks};
93 102         267 my $did_user_specify_trust = $permsgstatus->{main}->{conf}->{trusted_networks_configured};
94 102         258 my $did_user_specify_internal = $permsgstatus->{main}->{conf}->{internal_networks_configured};
95 102         222 my $in_trusted = 1;
96 102         181 my $in_internal = 1;
97 102         218 my $found_msa = 0;
98              
99 102 100 100     562 unless ($did_user_specify_trust && $did_user_specify_internal) {
100 82 100 100     689 if (!$did_user_specify_trust && !$did_user_specify_internal) {
    100          
101 44         252 dbg('config: trusted_networks are not configured; it is recommended '.
102             'that you configure trusted_networks manually');
103             } elsif (!$did_user_specify_internal) {
104             # use 'trusted' for 'internal'; compatibility with SpamAssassin 2.60
105 36         78 $internal = $trusted;
106 36         201 dbg('config: internal_networks not configured, using trusted_networks '.
107             'configuration for internal_networks; if you really want '.
108             'internal_networks to only contain the required 127/8 add '.
109             "'internal_networks !0/0' to your configuration");
110             } else {
111             # use 'internal' for 'trusted'; I don't know why we let people define
112             # internal without trusted, but we do... and we rely on trusted being set
113 2         4 $trusted = $internal;
114 2         8 dbg('config: trusted_networks not configured, using internal_networks '.
115             'configuration for trusted_networks');
116             }
117             }
118              
119 102         372 my $IP_ADDRESS = IP_ADDRESS;
120 102         351 my $IP_PRIVATE = IP_PRIVATE;
121 102         268 my $LOCALHOST = LOCALHOST;
122              
123 102         875 my @hdrs = $msg->get_header('Received');
124              
125             # Now add the single line headers like X-Originating-IP. (bug 5680)
126             # we convert them into synthetic "Received" headers so we can share
127             # code below.
128 102         265 for my $header (@{$permsgstatus->{main}->{conf}->{originating_ip_headers}})
  102         616  
129             {
130 332         779 my $str = $msg->get_header($header);
131 332 100 66     1405 next unless ($str && $str =~ m/($IP_ADDRESS)/);
132 4         41 push @hdrs, "from X-Originating-IP: $1\n";
133             }
134              
135 102         301 foreach my $line ( @hdrs ) {
136              
137             # qmail-scanner support hack: we may have had one of these set from the
138             # previous (read: more recent) Received header. if so, add it on to this
139             # header's set, since that's the handover it was describing.
140              
141 71         136 my $qms_env_from;
142 71 50       213 if ($self->{qmail_scanner_env_from}) {
143 0         0 $qms_env_from = $self->{qmail_scanner_env_from};
144 0         0 delete $self->{qmail_scanner_env_from};
145             }
146              
147 71         200 $line =~ s/\n[ \t]+/ /gs;
148              
149 71         273 my $relay = $self->parse_received_line ($line);
150 71 50       220 if (!defined $relay) {
151 0         0 dbg("received-header: unparseable: $line");
152 0         0 $self->{num_relays_unparseable}++;
153             }
154              
155             # undefined or 0 means there's no result, so goto the next header
156 71 100       213 unless ($relay) {
157 5 100       25 $self->{last_trusted_relay_index}++ if $in_trusted;
158 5 100       22 $self->{last_internal_relay_index}++ if $in_internal;
159 5         17 next;
160             }
161              
162             # hack for qmail-scanner, as described above; add in the saved
163             # metadata
164 66 50       188 if ($qms_env_from) {
165 0         0 $relay->{envfrom} = $qms_env_from;
166 0         0 $self->make_relay_as_string($relay);
167             }
168              
169             # relay status only changes when we're still in the trusted portion of the
170             # relays and we haven't yet found an MSA
171 66 100 100     352 if ($in_trusted && !$found_msa) {
172 46 100 100     234 unless ($did_user_specify_trust || $did_user_specify_internal) {
173             # OK, infer the trusted/untrusted handover, we don't have real info
174 9         19 my $inferred_as_trusted = 0;
175              
176             # if the 'from' IP addr is in a reserved net range, it's not on
177             # the public internet.
178 9 100       37 if ($relay->{ip_private}) {
179 4         24 dbg("received-header: 'from' ".$relay->{ip}." has private IP");
180 4         6 $inferred_as_trusted = 1;
181             }
182              
183             # if we find authentication tokens in the received header we can extend
184             # the trust boundary to that host
185 9 50       33 if ($relay->{auth}) {
186 0         0 dbg("received-header: authentication method ".$relay->{auth});
187 0         0 $inferred_as_trusted = 1;
188             }
189              
190             # if the user didn't specify any trusted/internal config, everything
191             # we assume as trusted is also internal, just like we'd do if they
192             # specified trusted but not any internal networks or vice versa
193 9 100       31 if (!$inferred_as_trusted) {
194 5         20 dbg("received-header: do not trust any hosts from here on");
195 5         8 $in_trusted = 0;
196 5         11 $in_internal = 0;
197             }
198              
199             } else {
200             # trusted_networks matches?
201 37 100 66     388 if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) {
202 7 50       26 if (!$originating) {
203 7         21 $in_trusted = 0; # break the trust chain
204             } else { # caller asserts a msg was submitted from inside or auth'd
205 0         0 $found_msa = 1; # let's assume the previous hop was actually
206             # an MSA, and propagate trust from here on
207             dbg('received-header: originating, '.
208             '%s and remaining relays will be considered trusted%s',
209 0 0       0 $relay->{ip}, !$in_internal ? '' : ', but no longer internal');
210             }
211 7         18 $in_internal = 0; # if it's not trusted it's not internal
212             } else {
213             # internal_networks matches?
214 30 100 33     290 if ($in_internal && !$relay->{auth} && !$internal->contains_ip($relay->{ip})) {
      66        
215 6         14 $in_internal = 0;
216             }
217             # msa_networks matches?
218 30 100       142 if ($msa->contains_ip($relay->{ip})) {
219 3 50       30 dbg('received-header: found MSA relay, remaining relays will be'.
    100          
220             ' considered trusted: '.($in_trusted ? 'yes' : 'no').
221             ' internal: '.($in_internal ? 'yes' : 'no'));
222 3         8 $found_msa = 1;
223 3         11 $relay->{msa} = 1;
224             }
225             }
226             }
227             }
228              
229             dbg("received-header: relay ".$relay->{ip}.
230             " trusted? ".($in_trusted ? "yes" : "no").
231             " internal? ".($in_internal ? "yes" : "no").
232 66 100       644 " msa? ".($relay->{msa} ? "yes" : "no"));
    100          
    100          
233              
234 66         169 $relay->{internal} = $in_internal;
235 66   100     367 $relay->{msa} ||= 0;
236              
237             # be sure to mark up the as_string version for users too
238 66         667 $relay->{as_string} =~ s/ intl=\d / intl=$relay->{internal} /;
239 66         479 $relay->{as_string} =~ s/ msa=\d / msa=$relay->{msa} /;
240              
241 66 100       251 if ($in_trusted) {
242 37         85 push (@{$self->{relays_trusted}}, $relay);
  37         112  
243 37         120 $self->{allow_mailfetch_markers} = 1;
244 37         86 $self->{last_trusted_relay_index}++;
245             } else {
246 29         54 push (@{$self->{relays_untrusted}}, $relay);
  29         85  
247 29         61 $self->{allow_mailfetch_markers} = 0;
248             }
249              
250 66 100       178 if ($in_internal) {
251 30         65 push (@{$self->{relays_internal}}, $relay);
  30         88  
252 30         120 $self->{last_internal_relay_index}++;
253             } else {
254 36         62 push (@{$self->{relays_external}}, $relay);
  36         123  
255             }
256             }
257              
258 36         187 $self->{relays_trusted_str} = join(' ', map { $_->{as_string} }
259 102         234 @{$self->{relays_trusted}});
  102         443  
260 29         98 $self->{relays_untrusted_str} = join(' ', map { $_->{as_string} }
261 102         589 @{$self->{relays_untrusted}});
  102         476  
262 29         95 $self->{relays_internal_str} = join(' ', map { $_->{as_string} }
263 102         248 @{$self->{relays_internal}});
  102         627  
264 36         107 $self->{relays_external_str} = join(' ', map { $_->{as_string} }
265 102         235 @{$self->{relays_external}});
  102         383  
266              
267             # OK, we've now split the relay list into trusted and untrusted.
268              
269             # add the stringified representation to the message object, so Bayes
270             # and rules can use it. Note that rule_tests.t does not impl put_metadata,
271             # so protect against that here. These will not appear in the final
272             # message; they're just used internally.
273              
274 102 50       725 if ($self->{msg}->can ("delete_header")) {
275 102         589 $self->{msg}->delete_header ("X-Spam-Relays-Trusted");
276 102         532 $self->{msg}->delete_header ("X-Spam-Relays-Untrusted");
277 102         523 $self->{msg}->delete_header ("X-Spam-Relays-Internal");
278 102         491 $self->{msg}->delete_header ("X-Spam-Relays-External");
279              
280 102 50       703 if ($self->{msg}->can ("put_metadata")) {
281             $self->{msg}->put_metadata ("X-Spam-Relays-Trusted",
282 102         579 $self->{relays_trusted_str});
283             $self->{msg}->put_metadata ("X-Spam-Relays-Untrusted",
284 102         455 $self->{relays_untrusted_str});
285             $self->{msg}->put_metadata ("X-Spam-Relays-Internal",
286 102         424 $self->{relays_internal_str});
287             $self->{msg}->put_metadata ("X-Spam-Relays-External",
288 102         396 $self->{relays_external_str});
289             }
290             }
291              
292             # be helpful; save some cumbersome typing
293 102         321 $self->{num_relays_trusted} = scalar (@{$self->{relays_trusted}});
  102         308  
294 102         204 $self->{num_relays_untrusted} = scalar (@{$self->{relays_untrusted}});
  102         231  
295 102         220 $self->{num_relays_internal} = scalar (@{$self->{relays_internal}});
  102         265  
296 102         184 $self->{num_relays_external} = scalar (@{$self->{relays_external}});
  102         252  
297              
298 102         586 dbg("metadata: X-Spam-Relays-Trusted: ".$self->{relays_trusted_str});
299 102         627 dbg("metadata: X-Spam-Relays-Untrusted: ".$self->{relays_untrusted_str});
300 102         531 dbg("metadata: X-Spam-Relays-Internal: ".$self->{relays_internal_str});
301 102         517 dbg("metadata: X-Spam-Relays-External: ".$self->{relays_external_str});
302             }
303              
304             # ---------------------------------------------------------------------------
305              
306             # returns undef if the header just couldn't be parsed
307             # returns 0 if the header was specifically skipped
308             # returns a hash of information if the header is parsed, including:
309             # ip => $ip,
310             # by => $by,
311             # helo => $helo,
312             # id => $id,
313             # ident => $ident,
314             # envfrom => $envfrom,
315             # lc_by => (lc $by),
316             # lc_helo => (lc $helo),
317             # auth => $auth
318             #
319             sub parse_received_line {
320 216     216 0 49895 my ($self) = shift;
321 216         497 local ($_) = shift;
322 216         1202 local ($1,$2,$3,$4,$5,$6);
323              
324 216         2705 s/\s+/ /g;
325 216         529 s/^ //;
326 216         559 s/ $//;
327              
328             # get rid of invalid semicolon at the end of the header
329 216         666 1 while s/\s?;$//;
330              
331 216         393 my $ip = '';
332 216         323 my $helo = '';
333 216         290 my $rdns = '';
334 216         333 my $by = '';
335 216         319 my $id = '';
336 216         273 my $ident = '';
337 216         343 my $envfrom = '';
338 216         334 my $mta_looked_up_dns = 0;
339 216         278 my $IP_ADDRESS = IP_ADDRESS;
340 216         309 my $IP_PRIVATE = IP_PRIVATE;
341 216         326 my $LOCALHOST = LOCALHOST;
342 216         316 my $auth = '';
343              
344             # ---------------------------------------------------------------------------
345              
346             # We care about lines starting with from. all of the others are ignorable:
347             # Bug 4943: give /^(from/ a chance to be parsed
348             #
349             # (qmail 27981 invoked by uid 225); 14 Mar 2003 07:24:34 -0000
350             # (qmail 84907 invoked from network); 13 Feb 2003 20:59:28 -0000
351             # (ofmipd 208.31.42.38); 17 Mar 2003 04:09:01 -0000
352             # by faerber.muc.de (OpenXP/32 v3.9.4 (Win32) alpha @ 2003-03-07-1751d); 07 Mar 2003 22:10:29 +0000
353             # by x.x.org (bulk_mailer v1.13); Wed, 26 Mar 2003 20:44:41 -0600
354             # by SPIDERMAN with Internet Mail Service (5.5.2653.19) id <19AF8VY2>; Tue, 25 Mar 2003 11:58:27 -0500
355             # by oak.ein.cz (Postfix, from userid 1002) id DABBD1BED3; Thu, 13 Feb 2003 14:02:21 +0100 (CET)
356             # OTM-MIX(otm-mix00) id k5N1aDtp040896; Fri, 23 Jun 2006 10:36:14 +0900 (JST)
357             # at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2) from infodrom.org by finlandia.Infodrom.North.DE via smail from stdin id <m1FglM8-000okjC@finlandia.Infodrom.North.DE> for debian-security-announce@lists.debian.org; Thu, 18 May 2006 18:28:08 +0200 (CEST)
358             # with ECARTIS (v1.0.0; list bind-announce); Fri, 18 Aug 2006 07:19:58 +0000 (UTC)
359             # Received: Message by Barricade wilhelm.eyp.ee with ESMTP id h1I7hGU06122 for <spamassassin-talk@lists.sourceforge.net>; Tue, 18 Feb 2003 09:43:16 +0200
360 216 100       872 return 0 if (!/^\(?from /i);
361              
362             # from www-data by wwwmail.documenta.de (Exim 4.50) with local for <example@vandinter.org> id 1GFbZc-0006QV-L8; Tue, 22 Aug 2006 21:06:04 +0200
363             # from server.yourhostingaccount.com with local for example@vandinter.org id 1GDtdl-0002GU-QE (8710); Thu, 17 Aug 2006 21:59:17 -0400
364 214 50       596 return 0 if /\bwith local for\b/;
365              
366             # Received: from virtual-access.org by bolero.conactive.com ; Thu, 20 Feb 2003 23:32:58 +0100
367             # Received: FROM ca-ex-bridge1.nai.com BY scwsout1.nai.com ; Fri Feb 07 10:18:12 2003 -0800
368             # but not: Received: from [86.122.158.69] by mta2.iomartmail.com; Thu, 2 Aug 2007 21:50:04 -0200
369 214 100 100     968 if (/^from (\S+) by [^\s;]+ ?;/i && $1 !~ /^\[[\d.]+\]$/) { return 0; }
  1         6  
370              
371             # ---------------------------------------------------------------------------
372              
373             # Let's get rid of the date at the end
374             # ; Tue, 23 May 2006 13:06:35 -0400
375 213         2575 s/[\s;]+(?:(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), )?\d+ (?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec) \d+ \d+:\d+(?::\d+)? \S+$//;
376              
377             # from av0001.technodiva.com (localhost [127.0.0.1])by localhost.technodiva.com (Postfix) with ESMTP id 846CF2117for <proftp-user@lists.sourceforge.net>; Mon, 7 Aug 2006 17:48:07 +0200 (MEST)
378 213         544 s/\)by /) by /;
379              
380             # ---------------------------------------------------------------------------
381              
382             # OK -- given knowledge of most Received header formats,
383             # break them down. We have to do something like this, because
384             # some MTAs will swap position of rdns and helo -- so we can't
385             # simply use simplistic regexps.
386              
387             # try to catch unique message identifier
388 213 100       787 if (/ id <?([^\s<>;]{3,})/) {
389 112         300 $id = $1;
390             }
391              
392 213 100       1229 if (/\bhelo=([-A-Za-z0-9\.\^+_&:=?!@%*\$\\\/]+)(?:[^-A-Za-z0-9\.\^+_&:=?!@%*\$\\\/]|$)/) {
    100          
393 9         22 $helo = $1;
394             }
395             elsif (/\b(?:HELO|EHLO) ([-A-Za-z0-9\.\^+_&:=?!@%*\$\\\/]+)(?:[^-A-Za-z0-9\.\^+_&:=?!@%*\$\\\/]|$)/) {
396 17         41 $helo = $1;
397             }
398 213 100       778 if (/ by (\S+)(?:[^-A-Za-z0-9\;\.]|$)/) { $by = $1; }
  207         502  
399              
400             # ---------------------------------------------------------------------------
401              
402             # try to catch authenticated message identifier
403             #
404             # with ESMTPA, ESMTPSA, LMTPA, LMTPSA should cover RFC 3848 compliant MTAs,
405             # UTF8SMTPA and UTF8LMTPA are covered by RFC 4954 and RFC 6531,
406             # with ASMTP (Authenticated SMTP) is used by Earthlink, Exim 4.34, and others
407             # with HTTP should only be authenticated webmail sessions
408             # with HTTPU is used by Communigate Pro with Pronto! webmail interface
409             # with HTTPS is used by Horde adjusts the Received header to say "HTTPS" when
410             # a connection is made over HTTPS
411             # IANA registry: http://www.iana.org/assignments/mail-parameters/mail-parameters.xhtml
412 213 100 100     6693 if (/ by / && / with ((?:ES|L|UTF8S|UTF8L)MTPS?A|ASMTP|HTTP[SU]?)(?: |;|$)/i) {
    50 33        
    100 100        
    100 66        
    100 66        
    100 100        
    100          
    50          
    50          
    100          
413 14         32 $auth = $1;
414             }
415             # GMail should use ESMTPSA to indicate that it is in fact authenticated,
416             # but doesn't.
417             elsif (/ by mx\.google\.com with ESMTPS id [a-z0-9]{1,4}sm[0-9]{2,9}[a-z]{3}\.[0-9]{1,3}\.[0-9]{4}\.(?:[0-6][0-9]\.){4}[0-6][0-9]/ && /\(version=([^ ]+) cipher=([^\)]+)\)/ ) {
418 0         0 $auth = 'GMail - transport=' . $1 . ' cipher=' . $2;
419             }
420             # Courier v0.47 and possibly others
421             elsif (/^from .*?(?:\]\)|\)\]) \(AUTH: (LOGIN|PLAIN|DIGEST-MD5|CRAM-MD5) \S+(?:, .*?)?\) by /) {
422 4         10 $auth = $1;
423             }
424             # Sendmail, MDaemon, some webmail servers, and others
425             elsif (/authenticated/ && /^from .*?(?:\](?: \([^)]*\))?\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
426 6         15 $auth = 'Sendmail';
427             }
428             # workaround for GMX, which authenticates users but does not indicate it properly - # SMTP version
429             elsif (/from \S* \((?:HELO|EHLO) (\S*)\) \[(${IP_ADDRESS})\] by (mail\.gmx\.(?:net|com)) \([^\)]+\) with ((?:ESMTP|SMTP))/) {
430 1         7 $auth = "GMX ($4 / $3)";
431             }
432             # Critical Path Messaging Server
433             elsif (/ \(authenticated as /&&/\) by .+ \(\d{1,2}\.\d\.\d{3}(?:\.\d{1,3})?\) \(authenticated as .+\) id /) {
434 3         10 $auth = 'CriticalPath';
435             }
436             # Postfix 2.3 and later with "smtpd_sasl_authenticated_header yes"
437             elsif (/\) \(Authenticated sender: \S+\) by \S+ \(Postfix\) with /) {
438 1         4 $auth = 'Postfix';
439             }
440             # Communigate Pro - Bug 6495 adds HTTP as possible transmission method
441             # Bug 7277: XIMSS used by Pronto and other custom apps, IMAP supports XMIT extension
442             elsif (/CommuniGate Pro (HTTP|SMTP|XIMSS|IMAP)/ && / \(account /) {
443 0         0 $auth = 'Communigate';
444             }
445             # Microsoft Exchange (complete with syntax error)
446             elsif (/ with Microsoft Exchange Server HTTP-DAV\b/) {
447 0         0 $auth = 'HTTP-DAV';
448             }
449             # froufrou mailers like United Internet use a '(via HTTP)' comment, Bug 7101
450             elsif (/ by / && / \(via (HTTP.?)\)(?: |;|$)/i) {
451 1         4 $auth = $1;
452             }
453              
454             # ---------------------------------------------------------------------------
455              
456 213 100       1040 if (s/^from //) {
    100          
    50          
457             # try to catch enveloper senders
458 206 100       1857 if (/(?:return-path:? |envelope-(?:sender|from)[ =])(\S+)\b/i) {
459 6         18 $envfrom = $1;
460             }
461              
462             # from 142.169.110.122 (SquirrelMail authenticated user synapse) by
463             # mail.nomis80.org with HTTP; Sat, 3 Apr 2004 10:33:43 -0500 (EST)
464             # Expanded to NaSMail Bug 6783
465 206 100       589 if (/ \((?:SquirrelMail|NaSMail) authenticated user /) {
466             #REVERTING bug 3236 and implementing re: bug 6549
467 3 50       362 if (/(${IP_ADDRESS})\b(?![.-]).{10,80}by (\S+) with HTTP/) {
468 3         11 $ip = $1; $by = $2; goto enough;
  3         7  
  3         193  
469             }
470             }
471              
472             # AOL WebMail headers
473 203 50 66     1505 if (/aol\.com/ && /with HTTP \(WebMailUI\)/) {
474             # Received: from 82.135.198.129 by FWM-M18.sysops.aol.com (64.12.168.82) with HTTP (WebMailUI); Tue, 19 Jun 2007 11:16:54 -0400
475 0 0       0 if(/(${IP_ADDRESS}) by (\S+) \(${IP_ADDRESS}\) with HTTP \(WebMailUI\)/) {
476 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
477             }
478             }
479              
480             # catch MS-ish headers here
481 203 100       1765 if (/ SMTPSVC/) {
    100          
    100          
    100          
    100          
    100          
    50          
482             # MS servers using this fmt do not lookup the rDNS.
483             # Received: from inet-vrs-05.redmond.corp.microsoft.com ([157.54.6.157])
484             # by INET-IMC-05.redmond.corp.microsoft.com with Microsoft
485             # SMTPSVC(5.0.2195.6624); Thu, 6 Mar 2003 12:02:35 -0800
486             # Received: from 0 ([61.31.135.91]) by bass.bass.com.eg with Microsoft
487             # SMTPSVC(5.0.2195.6713); Tue, 21 Sep 2004 08:59:06 +0300
488             # Received: from 0 ([61.31.138.57] RDNS failed) by nccdi.com with
489             # Microsoft SMTPSVC(6.0.3790.0); Thu, 23 Sep 2004 08:51:06 -0700
490             # Received: from tthompson ([217.35.105.172] unverified) by
491             # mail.neosinteractive.com with Microsoft SMTPSVC(5.0.2195.5329);
492             # Tue, 11 Mar 2003 13:23:01 +0000
493             # Received: from ([172.16.1.78]) by email2.codeworksonline.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Sep 2006 21:14:29 -0400
494 7 100       577 if (/^(\S*) \(\[(${IP_ADDRESS})\][^\)]{0,40}\) by (\S+) with Microsoft SMTPSVC/) {
495 5         19 $helo = $1; $ip = $2; $by = $3; goto enough;
  5         11  
  5         8  
  5         306  
496             }
497              
498             # Received: from mail pickup service by mail1.insuranceiq.com with
499             # Microsoft SMTPSVC; Thu, 13 Feb 2003 19:05:39 -0500
500 2 100       13 if (/^mail pickup service by (\S+) with Microsoft SMTPSVC$/) {
501 1         8 return 0;
502             }
503             }
504              
505             elsif (/\[XMail /) { # bug 3791, bug 4053
506             # Received: from list.brainbuzz.com (63.146.189.86:23198) by mx1.yourtech.net with [XMail 1.20 ESMTP Server] id <S72E> for <jason@ellingson.org.spamassassin.org> from <bounce-cscommunity-11965901@list.cramsession.com.spamassassin.org>; Sat, 18 Sep 2004 23:17:54 -0500
507             # Received: from list.brainbuzz.com (63.146.189.86:23198) by mx1.yourtech.net (209.32.147.34:25) with [XMail 1.20 ESMTP Server] id <S72E> for <jason@ellingson.org.spamassassin.org> from <bounce-cscommunity-11965901@list.cramsession.com.spamassassin.org>; Sat, 18 Sep 2004 23:17:54 -0500
508 2 50       261 if (/^(\S+) \((\[?${IP_ADDRESS}\]?)(?::\d+)\) by (\S+)(?: \(\S+\))? with \[XMail/)
509             {
510 2         6 $helo = $1; $ip = $2; $by = $3;
  2         5  
  2         3  
511 2 50       12 / id <(\S+)>/ and $id = $1;
512 2 50       11 / from <(\S+)>/ and $envfrom = $1;
513 2         144 goto enough;
514             }
515             }
516              
517             # from ([10.225.209.19:33672]) by ecelerity-va-1 (ecelerity HEAD) with SMTP id EE/20-30863-33CE1054; Fri, 08 Sep 2006 18:18:27 -0400
518             # from ([127.0.0.1:32923]) by bm1-21.ed10.com (ecelerity 2.1.1ea r(11031M)) with ECSTREAM id 8B/57-16227-3764EB44 for <example@vandinter.org>; Wed, 19 Jul 2006 10:49:23 -0400
519             # from ([192.168.1.151:49601] helo=dev1.democracyinaction.org) by m12.prod.democracyinaction.com (ecelerity 2.1.1.3 r(11743)) with ESMTP id 52/92-02454-89FBA054 for <example@vandinter.org>; Fri, 15 Sep 2006 10:58:32 -0400
520             elsif (/\(ecelerity\b/) {
521 3 100       250 if (/^\(\[(${IP_ADDRESS}):\d+\] helo=(\S+)\) by (\S+) /) {
522 2         7 $ip = $1; $helo = $2; $by = $3;
  2         6  
  2         3  
523 2         128 goto enough;
524             }
525              
526 1 50       247 if (/^\S+ \(\[(${IP_ADDRESS}):\d+\]\) by (\S+) /) {
527 1         5 $ip = $1; $by = $2;
  1         3  
528 1         65 goto enough;
529             }
530             }
531              
532             elsif (/Exim/) {
533             # one of the HUGE number of Exim formats :(
534             # This must be scriptable. (update: it is. cf bug 3950, 3582)
535             # mss 2004-09-27: See <http://www.exim.org/exim-html-4.40/doc/html/spec_14.html#IX1315>
536              
537             # from root (helo=candygram.thunk.org) by thunker.thunk.org with local-esmtps (tls_cipher TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50 #1 (Debian)) id 1FwHqR-0008Bw-OG; Fri, 30 Jun 2006 08:11:35 -0400
538             # from root (helo=localhost) by broadcast.iac.iafrica.com with local-bsmtp (Exim 4.30; FreeBSD) id 1GN22d-0000xp-2K for example@vandinter.org; Tue, 12 Sep 2006 08:46:43 +0200
539             # from smarter (helo=localhost) by mx1-out.lists.smarterliving.com with local-bsmtp (Exim 4.24) id 1GIRA2-0007IZ-4n for example@vandinter.org; Wed, 30 Aug 2006 10:35:22 -0400
540             # Received: from andrew by trinity.supernews.net with local (Exim 4.12) id 18xeL6-000Dn1-00; Tue, 25 Mar 2003 02:39:00 +0000
541 11 50       33 if (/\bwith local(?:-\S+)? /) { return 0; }
  0         0  
542              
543             # Received: from [61.174.163.26] (helo=host) by sc8-sf-list1.sourceforge.net with smtp (Exim 3.31-VA-mm2 #1 (Debian)) id 18t2z0-0001NX-00 for <razor-users@lists.sourceforge.net>; Wed, 12 Mar 2003 01:57:10 -0800
544             # Received: from [218.19.142.229] (helo=hotmail.com ident=yiuhyotp) by yzordderrex with smtp (Exim 3.35 #1 (Debian)) id 194BE5-0005Zh-00; Sat, 12 Apr 2003 03:58:53 +0100
545 11 100       314 if (/^\[(${IP_ADDRESS})\] \((.*?)\) by (\S+) /) {
546 1         4 $ip = $1; my $sub = $2; $by = $3;
  1         3  
  1         2  
547 1 50       4 $sub =~ s/helo=(\S+)// and $helo = $1;
548 1 50       4 $sub =~ s/ident=(\S*)// and $ident = $1;
549 1         68 goto enough;
550             }
551              
552             # Received: from sc8-sf-list1-b.sourceforge.net ([10.3.1.13] helo=sc8-sf-list1.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian)) id 18t301-0007Bh-00; Wed, 12 Mar 2003 01:58:13 -0800
553             # Received: from dsl092-072-213.bos1.dsl.speakeasy.net ([66.92.72.213] helo=blazing.arsecandle.org) by sc8-sf-list1.sourceforge.net with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 3.31-VA-mm2 #1 (Debian)) id 18lyuU-0007TI-00 for <SpamAssassin-talk@lists.sourceforge.net>; Thu, 20 Feb 2003 14:11:18 -0800
554             # Received: from eclectic.kluge.net ([66.92.69.221] ident=[W9VcNxE2vKxgWHD05PJbLzIHSxcmZQ/O]) by sc8-sf-list1.sourceforge.net with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 3.31-VA-mm2 #1 (Debian)) id 18m0hT-00031I-00 for <spamassassin-talk@lists.sourceforge.net>; Thu, 20 Feb 2003 16:06:00 -0800
555             # Received: from mail.ssccbelen.edu.pe ([216.244.149.154]) by yzordderrex
556             # with esmtp (Exim 3.35 #1 (Debian)) id 18tqiz-000702-00 for
557             # <jm@example.com>; Fri, 14 Mar 2003 15:03:57 +0000
558             # Received: from server040.webpack.hosteurope.de ([80.237.130.48]:52313)
559             # by vps832469583.serverpool.info with esmtps
560             # (TLS-1.0:DHE_RSA_3DES_EDE_CBC_SHA:24) (Exim 4.50) id 1GzVLs-0002Oz-7b...
561 10 100       313 if (/^(\S+) \(\[(${IP_ADDRESS})\](.*?)\) by (\S+) /) {
562 7         19 $rdns=$1; $ip = $2; my $sub = $3; $by = $4;
  7         12  
  7         13  
  7         13  
563 7         11 $helo=$rdns; # default, apparently: bug 5112
564 7 100       30 $sub =~ s/helo=(\S+)// and $helo = $1;
565 7 50       17 $sub =~ s/ident=(\S*)// and $ident = $1;
566 7         445 goto enough;
567             }
568              
569             # Received: from boggle.ihug.co.nz [203.109.252.209] by grunt6.ihug.co.nz
570             # with esmtp (Exim 3.35 #1 (Debian)) id 18SWRe-0006X6-00; Sun, 29 Dec
571             # 2002 18:57:06 +1300
572 3 50       232 if (/^(\S+) \[(${IP_ADDRESS})\](:\d+)? by (\S+) /) {
573 0         0 $rdns= $1; $ip = $2; $helo = $1; $by = $4; goto enough;
  0         0  
  0         0  
  0         0  
  0         0  
574             }
575              
576             # attempt to deal with other odd Exim formats; just match little bits
577             # of the header.
578             # Received: from helene8.i.pinwand.net (helene.cats.ms) [10.0.8.6.13219]
579             # (mail) by lisbeth.i.pinwand.net with esmtp (Exim 3.35 #1 (Debian)) id
580             # 1CO5y7-0001vC-00; Sun, 31 Oct 2004 04:01:23 +0100
581 3 50       15 if (/^(\S+) /) {
582 3         10 $rdns= $1; # assume this is the rDNS, not HELO. is this appropriate?
583             }
584 3 100       13 if (/ \((\S+)\) /) {
585 2         4 $helo = $1;
586             }
587 3 100       225 if (/ \[(${IP_ADDRESS})(?:\.\d+)?\] /) {
588 1         3 $ip = $1;
589             }
590 3 50       21 if (/by (\S+) /) {
591 3         8 $by = $1;
592             # now, if we have a "by" and an IP, that's enough for most uses;
593             # we have to make do with that.
594 3 100       8 if ($ip) { goto enough; }
  1         64  
595             }
596              
597             # else it's probably forged. fall through
598             }
599              
600             elsif (/ \(Postfix\) with/) {
601             # Received: from localhost (unknown [127.0.0.1])
602             # by cabbage.jmason.org (Postfix) with ESMTP id A96E18BD97
603             # for <jm@localhost>; Thu, 13 Mar 2003 15:23:15 -0500 (EST)
604 20 100       1222 if ( /^(\S+) \((\S+) \[(${IP_ADDRESS})\]\) by (\S+) / ) {
605 17         43 $mta_looked_up_dns = 1;
606 17         51 $helo = $1; $rdns = $2; $ip = $3; $by = $4;
  17         37  
  17         42  
  17         68  
607 17 100       73 if ($rdns eq 'unknown') { $rdns = ''; }
  4         7  
608 17         1944 goto enough;
609             }
610              
611             # Received: from 207.8.214.3 (unknown[211.94.164.65])
612             # by puzzle.pobox.com (Postfix) with SMTP id 9029AFB732;
613             # Sat, 8 Nov 2003 17:57:46 -0500 (EST)
614             # (Pobox.com version: reported in bug 2745)
615 3 50       279 if ( /^(\S+) \((\S+)\[(${IP_ADDRESS})\]\) by (\S+) / ) {
616 0         0 $mta_looked_up_dns = 1;
617 0         0 $helo = $1; $rdns = $2; $ip = $3; $by = $4;
  0         0  
  0         0  
  0         0  
618 0 0       0 if ($rdns eq 'unknown') { $rdns = ''; }
  0         0  
619 0         0 goto enough;
620             }
621             }
622              
623             elsif (/\(Scalix SMTP Relay/) {
624             # from DPLAPTOP ( 72.242.176.162) by mail.puryear-it.com (Scalix SMTP Relay 10.0.1.3) via ESMTP; Fri, 23 Jun 2006 16:39:47 -0500 (CDT)
625 1 50       242 if (/^(\S+) \( ?(${IP_ADDRESS})\) by (\S+)/) {
626 1         4 $helo = $1; $ip = $2; $by = $3; goto enough;
  1         3  
  1         2  
  1         71  
627             }
628             }
629              
630             elsif (/ \(Lotus Domino /) {
631             # it seems Domino never records the rDNS: bug 5926
632 0 0       0 if (/^(\S+) \(\[(${IP_ADDRESS})\]\) by (\S+) \(Lotus/) {
633 0         0 $mta_looked_up_dns = 0;
634 0         0 $helo = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
635             }
636             }
637              
638             # Received: from 217.137.58.28 ([217.137.58.28])
639             # by webmail.ukonline.net (IMP) with HTTP
640             # for <anarchyintheuk@localhost>; Sun, 11 Apr 2004 00:31:07 +0100
641 165 50 66     1029 if (/\bwith HTTP\b/ && # more efficient split up this way
642             /^(${IP_ADDRESS}) \(\[${IP_ADDRESS}\]\) by (\S+)/)
643             {
644             # some smarty-pants decided to fake a numeric HELO for HTTP
645             # no rDNS for this format?
646 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
647             }
648              
649             # MiB: 2003/11/29 Some qmail-ldap headers may be misinterpreted as sendmail-headers
650             # resulting in a messed-up interpretation. We have to skip sendmail tests
651             # if we find evidence that this is a qmail-ldap header.
652             #
653 165 100       433 unless (/ by \S+ \(qmail-\S+\) with /) {
654             #
655             # sendmail:
656             # Received: from mail1.insuranceiq.com (host66.insuranceiq.com [65.217.159.66] (may be forged)) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id h2F0c2x31856 for <jm@jmason.org>; Sat, 15 Mar 2003 00:38:03 GMT
657             # Received: from BAY0-HMR08.adinternal.hotmail.com (bay0-hmr08.bay0.hotmail.com [65.54.241.207]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id h2DBpvs24047 for <webmaster@efi.ie>; Thu, 13 Mar 2003 11:51:57 GMT
658             # Received: from ran-out.mx.develooper.com (IDENT:qmailr@one.develooper.com [64.81.84.115]) by dogma.slashnull.org (8.11.6/8.11.6) with SMTP id h381Vvf19860 for <jm-cpan@jmason.org>; Tue, 8 Apr 2003 02:31:57 +0100
659             # from rev.net (natpool62.rev.net [63.148.93.62] (may be forged)) (authenticated) by mail.rev.net (8.11.4/8.11.4) with ESMTP id h0KKa7d32306 for <spamassassin-talk@lists.sourceforge.net>
660             #
661 164 100       2815 if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\].*\) by (\S+) \(/) {
662 27         59 $mta_looked_up_dns = 1;
663 27         72 $helo = $1; $rdns = $2; $ip = $3; $by = $4;
  27         53  
  27         46  
  27         48  
664 27 50       73 $rdns =~ s/^IDENT:([^\@]*)\@// and $ident = $1; # remove IDENT lookups
665 27 50       72 $rdns =~ s/^([^\@]*)\@// and $ident = $1; # remove IDENT lookups
666 27         1808 goto enough;
667             }
668             }
669              
670             # ---------------------------------------------------------------------------
671              
672             ## OK, AT THIS POINT FORMATS GET A BIT NON-STANDARD
673              
674             # Received: from ns.elcanto.co.kr (66.161.246.58 [66.161.246.58]) by
675             # mail.ssccbelen.edu.pe with SMTP (Microsoft Exchange Internet Mail Service
676             # Version 5.5.1960.3) id G69TW478; Thu, 13 Mar 2003 14:01:10 -0500
677 138 100       2082 if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\) by (\S+) with \S+ \(/) {
678 2         7 $mta_looked_up_dns = 1;
679 2         6 $rdns = $2; $ip = $3; $helo = $1; $by = $4; goto enough;
  2         4  
  2         10  
  2         4  
  2         121  
680             }
681              
682             # from mail2.detr.gsi.gov.uk ([51.64.35.18] helo=ahvfw.dtlr.gsi.gov.uk) by mail4.gsi.gov.uk with smtp id 190K1R-0000me-00 for spamassassin-talk-admin@lists.sourceforge.net; Tue, 01 Apr 2003 12:33:46 +0100
683 136 50       1489 if (/^(\S+) \(\[(${IP_ADDRESS})\] helo=(\S+)\) by (\S+) with /) {
684 0         0 $rdns = $1; $ip = $2; $helo = $3; $by = $4;
  0         0  
  0         0  
  0         0  
685 0         0 goto enough;
686             }
687              
688             # from 12-211-5-69.client.attbi.com (<unknown.domain>[12.211.5.69]) by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <2002112823351305300akl1ue>; Thu, 28 Nov 2002 23:35:13 +0000
689 136 50       1543 if (/^(\S+) \(<unknown\S*>\[(${IP_ADDRESS})\]\) by (\S+) /) {
690 0         0 $helo = $1; $ip = $2; $by = $3;
  0         0  
  0         0  
691 0         0 goto enough;
692             }
693              
694             # from attbi.com (h000502e08144.ne.client2.attbi.com[24.128.27.103]) by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <20030222193438053008f7tee>; Sat, 22 Feb 2003 19:34:39 +0000
695 136 50       1589 if (/^(\S+) \((\S+\.\S+)\[(${IP_ADDRESS})\]\) by (\S+) /) {
696 0         0 $mta_looked_up_dns = 1;
697 0         0 $helo = $1; $rdns = $2; $ip = $3; $by = $4;
  0         0  
  0         0  
  0         0  
698 0         0 goto enough;
699             }
700              
701              
702             # Received: from 4wtgRl (kgbxn@[211.244.147.115]) by dogma.slashnull.org (8.11.6/8.11.6) with SMTP id h8BBsUJ18848; Thu, 11 Sep 2003 12:54:31 +0100
703 136 50       1675 if (/^(\S+) \((\S*)\@\[(${IP_ADDRESS})\].*\) by (\S+) \(/) {
704 0         0 $mta_looked_up_dns = 1; # this one does. there just wasn't one
705 0         0 $helo = $1; $ip = $3; $by = $4;
  0         0  
  0         0  
706 0         0 $ident = $2;
707 0         0 goto enough;
708             }
709              
710             # Received: from 213.123.174.21 by lw11fd.law11.hotmail.msn.com with HTTP;
711             # Wed, 24 Jul 2002 16:36:44 GMT
712 136 100       423 if (/by (\S+\.hotmail\.msn\.com) /) {
713 1         5 $by = $1;
714 1 50       5 /^(\S+) / and $ip = $1;
715 1         76 goto enough;
716             }
717              
718             # Received: from x71-x56-x24-5.webspeed.dk (HELO niels) (69.96.3.15) by la.mx.develooper.com (qpsmtpd/0.27-dev) with SMTP; Fri, 02 Jan 2004 19:26:52 -0800
719             # Received: from sc8-sf-sshgate.sourceforge.net (HELO sc8-sf-netmisc.sourceforge.net) (66.35.250.220) by la.mx.develooper.com (qpsmtpd/0.27-dev) with ESMTP; Fri, 02 Jan 2004 14:44:41 -0800
720             # Received: from mx10.topofferz.net (HELO ) (69.6.60.10) by blazing.arsecandle.org with SMTP; 3 Mar 2004 20:34:38 -0000
721 135 50       1526 if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \((${IP_ADDRESS})\) by (\S+) \(qpsmtpd\/\S+\) with (?:ESMTP|SMTP)/) {
722 0         0 $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough;
  0         0  
  0         0  
  0         0  
  0         0  
723             }
724              
725             # Received: from mail-backend.DDDD.com (LHLO mail-backend.DDDD.com) (10.2.2.20) by mail-backend.DDDD.com with LMTP; Thu, 18 Jun 2015 16:50:56 -0700 (PDT)
726 135 100       1528 if (/^(\S+) \(LHLO (\S*)\) \((${IP_ADDRESS})\) by (\S+) with LMTP/) {
727 1         4 $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough;
  1         3  
  1         2  
  1         3  
  1         65  
728             }
729              
730             # from dslb-082-083-045-064.pools.arcor-ip.net (EHLO homepc) [82.83.45.64] by mail.gmx.net (mp010) with SMTP; 03 Feb 2007 13:13:47 +0100
731 134 100       1563 if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \[(${IP_ADDRESS})\] by (\S+) \([^\)]+\) with (?:ESMTP|SMTP)/) {
732 1         6 $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough;
  1         2  
  1         3  
  1         2  
  1         67  
733             }
734              
735             # MiB (Michel Bouissou, 2003/11/16)
736             # Moved some tests up because they might match on qmail tests, where this
737             # is not qmail
738             #
739             # Received: from imo-m01.mx.aol.com ([64.12.136.4]) by eagle.glenraven.com
740             # via smtpd (for [198.85.87.98]) with SMTP; Wed, 08 Oct 2003 16:25:37 -0400
741 133 50       1507 if (/^(\S+) \(\[(${IP_ADDRESS})\]\) by (\S+) via smtpd \(for \S+\) with SMTP\(/) {
742 0         0 $helo = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
743             }
744              
745             # Try to match most of various qmail possibilities
746             #
747             # General format:
748             # Received: from postfix3-2.free.fr (HELO machine.domain.com) (foobar@213.228.0.169) by totor.bouissou.net with SMTP; 14 Nov 2003 08:05:50 -0000
749             #
750             # "from (remote.rDNS|unknown)" is always there
751             # "(HELO machine.domain.com)" is there only if HELO differs from remote rDNS.
752             # HELO may be "" -- ie no string. "HELO" may also be "EHLO". HELO string
753             # may be an IP in fmt [1.2.3.4] -- do not strip [ and ], they are important.
754             # "foobar@" is remote IDENT info, specified only if ident given by remote
755             # Remote IP always appears between (parentheses), with or without IDENT@
756             # "by local.system.domain.com" always appears
757             #
758             # Protocol can be different from "SMTP", i.e. "RC4-SHA encrypted SMTP" or "QMQP"
759             # qmail's reported protocol shouldn't be "ESMTP", so by allowing only "with (.* )(SMTP|QMQP)"
760             # we should avoid matching on some sendmailish Received: lines that reports remote IP
761             # between ([218.0.185.24]) like qmail-ldap does, but use "with ESMTP".
762             #
763             # Normally, qmail-smtpd remote IP isn't between square brackets [], but some versions of
764             # qmail-ldap seem to add square brackets around remote IP. These versions of qmail-ldap
765             # use a longer format that also states the (envelope-sender <sender@domain>) and the
766             # qmail-ldap version. Example:
767             # Received: from unknown (HELO terpsichore.farfalle.com) (jdavid@[216.254.40.70]) (envelope-sender <jdavid@farfalle.com>) by mail13.speakeasy.net (qmail-ldap-1.03) with SMTP for <jm@jmason.org>; 12 Feb 2003 18:23:19 -0000
768             #
769             # Some others of the numerous qmail patches out there can also add variants of their own
770             #
771             # Received: from 211.245.85.228 (EHLO ) (211.245.85.228) by mta232.mail.scd.yahoo.com with SMTP; Sun, 25 Jan 2004 00:24:37 -0800
772             #
773             # bug 4813: make sure that the line doesn't have " id " after the
774             # protocol since that's a sendmail line and not qmail ...
775 133 100       2508 if (/^\S+( \((?:HELO|EHLO) \S*\))? \((\S+\@)?\[?${IP_ADDRESS}\]?\)( \(envelope-sender <\S+>\))? by \S+( \(.+\))* with (.* )?(SMTP|QMQP)(?! id )/ ) {
776 54 100       4031 if (/^(\S+) \((?:HELO|EHLO) ([^ \(\)]*)\) \((\S*)\@\[?(${IP_ADDRESS})\]?\)( \(envelope-sender <\S+>\))? by (\S+)/) {
    100          
    100          
    50          
777 4         12 $rdns = $1; $helo = $2; $ident = $3; $ip = $4; $by = $6;
  4         9  
  4         9  
  4         8  
  4         6  
778             }
779             elsif (/^(\S+) \((?:HELO|EHLO) ([^ \(\)]*)\) \(\[?(${IP_ADDRESS})\]?\)( \(envelope-sender <\S+>\))? by (\S+)/) {
780 7         24 $rdns = $1; $helo = $2; $ip = $3; $by = $5;
  7         16  
  7         12  
  7         14  
781             }
782             elsif (/^(\S+) \((\S*)\@\[?(${IP_ADDRESS})\]?\)( \(envelope-sender <\S+>\))? by (\S+)/) {
783             # note: absence of HELO means that it matched rDNS in qmail-land
784 4         15 $helo = $rdns = $1; $ident = $2; $ip = $3; $by = $5;
  4         7  
  4         10  
  4         10  
785             }
786             elsif (/^(\S+) \(\[?(${IP_ADDRESS})\]?\)( \(envelope-sender <\S+>\))? by (\S+)/) {
787 39         186 $helo = $rdns = $1; $ip = $2; $by = $4;
  39         128  
  39         93  
788             }
789             # qmail doesn't perform rDNS requests by itself, but is usually called
790             # by tcpserver or a similar daemon that passes rDNS information to qmail-smtpd.
791             # If qmail puts something else than "unknown" in the rDNS field, it means that
792             # it received this information from the daemon that called it. If qmail-smtpd
793             # writes "Received: from unknown", it means that either the remote has no
794             # rDNS, or qmail was called by a daemon that didn't gave the rDNS information.
795 54 100       179 if ($rdns ne "unknown") {
796 49         73 $mta_looked_up_dns = 1;
797             } else {
798 5         7 $rdns = '';
799             }
800 54         6916 goto enough;
801              
802             }
803             # /MiB
804            
805             # Received: from [193.220.176.134] by web40310.mail.yahoo.com via HTTP;
806             # Wed, 12 Feb 2003 14:22:21 PST
807 79 50 33     260 if (/ via HTTP$/&&/^\[(${IP_ADDRESS})\] by (\S+) via HTTP$/) {
808 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
809             }
810              
811             # Received: from 192.168.5.158 ( [192.168.5.158]) as user jason@localhost by mail.reusch.net with HTTP; Mon, 8 Jul 2002 23:24:56 -0400
812 79 50       1031 if (/^(\S+) \( \[(${IP_ADDRESS})\]\).*? by (\S+) /) {
813             # TODO: is $1 helo?
814 0         0 $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
815             }
816              
817             # Received: from (64.52.135.194 [64.52.135.194]) by mail.unearthed.com with ESMTP id BQB0hUH2 Thu, 20 Feb 2003 16:13:20 -0700 (PST)
818 79 50       1101 if (/^\((\S+) \[(${IP_ADDRESS})\]\) by (\S+) /) {
819 0         0 $helo = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
820             }
821              
822             # Received: from [65.167.180.251] by relent.cedata.com (MessageWall 1.1.0) with SMTP; 20 Feb 2003 23:57:15 -0000
823 79 100       1067 if (/^\[(${IP_ADDRESS})\] by (\S+) /) {
824 1         4 $ip = $1; $by = $2; goto enough;
  1         3  
  1         64  
825             }
826              
827             # from ([172.16.1.78]) by email2.codeworksonline.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Sep 2006 21:14:29 -0400
828             # from (130.215.36.186) by mcafee.wpi.edu via smtp id 021b_7e19a55a_ea7e_11da_83a9_00304811e63a; Tue, 23 May 2006 13:06:35 -0400
829             # from ([172.21.2.10]) by out-relay4.mtahq.org with ESMTP id 4420961.8281; Tue, 22 Aug 2006 17:53:08 -0400
830 78 100       1068 if (/^\(\[?(${IP_ADDRESS})\]?\) by (\S+) /) {
831 4         15 $ip = $1; $by = $2; goto enough;
  4         9  
  4         275  
832             }
833              
834             # Received: from acecomms [202.83.84.95] by mailscan.acenet.net.au [202.83.84.27] with SMTP (MDaemon.PRO.v5.0.6.R) for <spamassassin-talk@lists.sourceforge.net>; Fri, 21 Feb 2003 09:32:27 +1000
835 74 50       1066 if (/^(\S+) \[(${IP_ADDRESS})\] by (\S+) \[(\S+)\] with /) {
836 0         0 $mta_looked_up_dns = 1;
837 0         0 $helo = $1; $ip = $2;
  0         0  
838 0         0 $by = $4; # use the IP addr for "by", more useful?
839 0         0 goto enough;
840             }
841              
842             # Received: from mail.sxptt.zj.cn ([218.0.185.24]) by dogma.slashnull.org
843             # (8.11.6/8.11.6) with ESMTP id h2FH0Zx11330 for <webmaster@efi.ie>;
844             # Sat, 15 Mar 2003 17:00:41 GMT
845 74 100       1401 if (/^(\S+) \(\[(${IP_ADDRESS})\]\) by (\S+) \(/) { # sendmail
846 4         11 $mta_looked_up_dns = 1;
847 4         9 $helo = $1; $ip = $2; $by = $3; goto enough;
  4         10  
  4         9  
  4         244  
848             }
849              
850             # Received: from umr-mail7.umr.edu (umr-mail7.umr.edu [131.151.1.64]) via ESMTP by mrelay1.cc.umr.edu (8.12.1/) id h06GHYLZ022481; Mon, 6 Jan 2003 10:17:34 -0600
851             # Received: from Agni (localhost [::ffff:127.0.0.1]) (TLS: TLSv1/SSLv3, 168bits,DES-CBC3-SHA) by agni.forevermore.net with esmtp; Mon, 28 Oct 2002 14:48:52 -0800
852             # Received: from gandalf ([4.37.75.131]) (authenticated bits=0) by herald.cc.purdue.edu (8.12.5/8.12.5/herald) with ESMTP id g9JLefrm028228 for <spamassassin-talk@lists.sourceforge.net>; Sat, 19 Oct 2002 16:40:41 -0500 (EST)
853             # Received: from bushinternet.com (softdnserr [::ffff:61.99.99.67]) by mail.cs.helsinki.fi with esmtp; Fri, 22 Aug 2003 12:25:41 +0300
854 70 100       1113 if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\).*? by (\S+)\b/) { # sendmail
855 4 100       17 if ($2 eq 'softdnserr') {
856 1         3 $mta_looked_up_dns = 0; # bug 2326: couriertcpd
857             } else {
858 3         7 $mta_looked_up_dns = 1; $rdns = $2;
  3         6  
859             }
860 4         7 $helo = $1; $ip = $3; $by = $4; goto enough;
  4         8  
  4         8  
  4         262  
861             }
862              
863             # from jsoliday.acs.internap.com ([63.251.66.24.63559]) by
864             # mailhost.acs.internap.com with esmtp (v3.35.1) id 1GNrLz-000295-00;
865             # Thu, 14 Sep 2006 09:34:07 -0400
866 66 100       1166 if (/^(\S+) \(\[(${IP_ADDRESS})(?:[.:]\d+)?\]\).*? by (\S+) /) {
867 6         9 $mta_looked_up_dns = 1;
868 6         16 $helo = $1; $ip = $2; $by = $3; goto enough;
  6         13  
  6         11  
  6         394  
869             }
870              
871             # Received: from roissy (p573.as1.exs.dublin.eircom.net [159.134.226.61])
872             # (authenticated bits=0) by slate.dublin.wbtsystems.com (8.12.6/8.12.6)
873             # with ESMTP id g9MFWcvb068860 for <jm@jmason.org>;
874             # Tue, 22 Oct 2002 16:32:39 +0100 (IST)
875 60 50       1014 if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\)(?: \(authenticated bits=\d+\))? by (\S+) \(/) { # sendmail
876 0         0 $mta_looked_up_dns = 1;
877 0         0 $helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough;
  0         0  
  0         0  
  0         0  
  0         0  
878             }
879              
880             # Identify fetch-from-server incidents:
881             # Fetchmail:
882             # Received: from cabbage.jmason.org [127.0.0.1]
883             # by localhost with IMAP (fetchmail-5.9.0)
884             # for jm@localhost (single-drop); Thu, 13 Mar 2003 20:39:56 -0800 (PST)
885             #
886             # Getmail:
887             # Received: from pop3.mail.dk (195.41.46.251) by loki.valhalla with POP3;
888             # 14 Apr 2010 11:14:29 -0000
889             #
890 60 100       213 if (/with (?:POP3|IMAP)/) {
891 4         22 $self->found_pop_fetcher_sig();
892 4         32 return 0; # skip mail fetcher handovers
893             }
894              
895             # Let's try to support a few qmailish formats in one;
896             # http://issues.apache.org/SpamAssassin/show_bug.cgi?id=2744#c14 :
897             # Received: from unknown (HELO feux01a-isp) (213.199.4.210) by totor.bouissou.net with SMTP; 1 Nov 2003 07:05:19 -0000
898             # Received: from adsl-207-213-27-129.dsl.lsan03.pacbell.net (HELO merlin.net.au) (Owner50@207.213.27.129) by totor.bouissou.net with SMTP; 10 Nov 2003 06:30:34 -0000
899 56 100       860 if (/^(\S+) \((?:HELO|EHLO) ([^\)]*)\) \((\S*@)?\[?(${IP_ADDRESS})\]?\).* by (\S+) /)
900             {
901 1         3 $mta_looked_up_dns = 1;
902 1         3 $rdns = $1;
903 1         4 $helo = $2;
904 1 50       4 $ident = (defined $3) ? $3 : '';
905 1         3 $ip = $4;
906 1         3 $by = $5;
907 1 50       2 if ($ident) {
908 1         5 $ident =~ s/\@$//;
909             }
910 1         66 goto enough;
911             }
912              
913             # Received: from x1-6-00-04-bd-d2-e0-a3.k317.webspeed.dk (benelli@80.167.158.170) by totor.bouissou.net with SMTP; 5 Nov 2003 23:18:42 -0000
914 55 100       914 if (/^(\S+) \((\S*@)?\[?(${IP_ADDRESS})\]?\).* by (\S+) /)
915             {
916 4         9 $mta_looked_up_dns = 1;
917             # bug 2744 notes that if HELO == rDNS, qmail drops it.
918 4 50       10 $rdns = $1; $helo = $rdns; $ident = (defined $2) ? $2 : '';
  4         8  
  4         12  
919 4         7 $ip = $3; $by = $4;
  4         8  
920 4 50       8 if ($ident) { $ident =~ s/\@$//; }
  0         0  
921 4         263 goto enough;
922             }
923              
924             # Received: from [129.24.215.125] by ws1-7.us4.outblaze.com with http for
925             # _bushisevil_@mail.com; Thu, 13 Feb 2003 15:59:28 -0500
926 51 50 33     164 if (/ with http for /&&/^\[(${IP_ADDRESS})\] by (\S+) with http for /) {
927 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
928             }
929              
930             # Received: from snake.corp.yahoo.com(216.145.52.229) by x.x.org via smap (V1.3)
931             # id xma093673; Wed, 26 Mar 03 20:43:24 -0600
932 51 50 33     123 if (/ via smap /&&/^(\S+)\((${IP_ADDRESS})\) by (\S+) via smap /) {
933 0         0 $mta_looked_up_dns = 1;
934 0         0 $rdns = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
935             }
936              
937             # Received: from smtp.greyware.com(208.14.208.51, HELO smtp.sff.net) by x.x.org via smap (V1.3)
938             # id xma002908; Fri, 27 Feb 04 14:16:56 -0800
939 51 50       735 if (/^(\S+)\((${IP_ADDRESS}), (?:HELO|EHLO) (\S*)\) by (\S+) via smap /) {
940 0         0 $mta_looked_up_dns = 1;
941 0         0 $rdns = $1; $ip = $2; $helo = $3; $by = $4; goto enough;
  0         0  
  0         0  
  0         0  
  0         0  
942             }
943              
944             # Received: from [192.168.0.71] by web01-nyc.clicvu.com (Post.Office MTA
945             # v3.5.3 release 223 ID# 0-64039U1000L100S0V35) with SMTP id com for
946             # <x@x.org>; Tue, 25 Mar 2003 11:42:04 -0500
947 51 50 33     156 if (/ \(Post/&&/^\[(${IP_ADDRESS})\] by (\S+) \(Post/) {
948 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
949             }
950              
951             # Received: from [127.0.0.1] by euphoria (ArGoSoft Mail Server
952             # Freeware, Version 1.8 (1.8.2.5)); Sat, 8 Feb 2003 09:45:32 +0200
953 51 50 33     117 if (/ \(ArGoSoft/&&/^\[(${IP_ADDRESS})\] by (\S+) \(ArGoSoft/) {
954 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
955             }
956              
957             # Received: from 157.54.8.23 by inet-vrs-05.redmond.corp.microsoft.com
958             # (InterScan E-Mail VirusWall NT); Thu, 06 Mar 2003 12:02:35 -0800
959             # Received: from 10.165.130.62 by CNNIMAIL12.CNN.COM (SMTPL release 1.0d) with TCP; Fri, 1 Sep 2006 20:28:14 -0400
960 51 100       1001 if (/^(${IP_ADDRESS}) by (\S+) \((?:SMTPL|InterScan)\b/) {
961 1         5 $ip = $1; $by = $2; goto enough;
  1         3  
  1         73  
962             }
963              
964             # Received: from faerber.muc.de by slarti.muc.de with BSMTP (rsmtp-qm-ot 0.4)
965             # for asrg@ietf.org; 7 Mar 2003 21:10:38 -0000
966 50 50 33     192 if (/ with BSMTP/&&/^\S+ by \S+ with BSMTP/) {
967 0         0 return 0; # BSMTP != a TCP/IP handover, ignore it
968             }
969              
970             # Received: from spike (spike.ig.co.uk [193.32.60.32]) by mail.ig.co.uk with
971             # SMTP id h27CrCD03362 for <asrg@ietf.org>; Fri, 7 Mar 2003 12:53:12 GMT
972 50 50       758 if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\) by (\S+) with /) {
973 0         0 $mta_looked_up_dns = 1;
974 0         0 $helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough;
  0         0  
  0         0  
  0         0  
  0         0  
975             }
976              
977             # Received: from customer254-217.iplannetworks.net (HELO AGAMENON)
978             # (baldusi@200.69.254.217 with plain) by smtp.mail.vip.sc5.yahoo.com with
979             # SMTP; 11 Mar 2003 21:03:28 -0000
980 50 50       170 if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \((\S+).*?\) by (\S+) with /) {
981 0         0 $mta_looked_up_dns = 1;
982 0         0 $rdns = $1; $helo = $2; $ip = $3; $by = $4;
  0         0  
  0         0  
  0         0  
983 0 0       0 $ip =~ s/([^\@]*)\@//g and $ident = $1; # remove IDENT lookups
984 0         0 goto enough;
985             }
986              
987             # Received: from [192.168.1.104] (account nazgul HELO [192.168.1.104])
988             # by somewhere.com (CommuniGate Pro SMTP 3.5.7) with ESMTP-TLS id 2088434;
989             # Fri, 07 Mar 2003 13:05:06 -0500
990 50 100       796 if (/^\[(${IP_ADDRESS})\] \((?:account \S+ )?(?:HELO|EHLO) (\S*)\) by (\S+) \(/) {
991 7         21 $ip = $1; $helo = $2; $by = $3; goto enough;
  7         13  
  7         13  
  7         456  
992             }
993              
994             # Received: from host.example.com ([192.0.2.1] verified)
995             # by mail.example.net (CommuniGate Pro SMTP 5.1.13)
996             # with ESMTP id 9786656 for user@example.net; Thu, 27 Mar 2008 15:08:17 +0600
997 43 100 100     464 if (/ \(CommuniGate Pro/ && /^(\S+) \(\[(${IP_ADDRESS})\] verified\) by (\S+) \(/) {
998 4         7 $mta_looked_up_dns = 1;
999 4         12 $rdns = $1; $helo = $1; $ip = $2; $by = $3; goto enough;
  4         6  
  4         7  
  4         7  
  4         270  
1000             }
1001              
1002             # Received: from ([10.0.0.6]) by mail0.ciphertrust.com with ESMTP ; Thu,
1003             # 13 Mar 2003 06:26:21 -0500 (EST)
1004 39 50       712 if (/^\(\[(${IP_ADDRESS})\]\) by (\S+) with /) {
1005 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
1006             }
1007              
1008             # Received: from ironport.com (10.1.1.5) by a50.ironport.com with ESMTP; 01 Apr 2003 12:00:51 -0800
1009             # Received: from dyn-81-166-39-132.ppp.tiscali.fr (81.166.39.132) by cpmail.dk.tiscali.com (6.7.018)
1010 39 50       721 if (/^([^\d]\S+) \((${IP_ADDRESS})\) by (\S+) /) {
1011 0         0 $helo = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
1012             }
1013              
1014             # Received: from scv3.apple.com (scv3.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T61095998e1118164e13f8@mailgate2.apple.com>; Mon, 17 Mar 2003 17:04:54 -0800
1015             # bug 4704: Only let this match Content Technologies so it stops breaking things that come after it by matching first
1016 39 50       98 if (/^\S+ \(\S+\) by \S+ \(Content Technologies /) {
1017 0         0 return 0; # useless without the $ip anyway!
1018             }
1019              
1020             # Received: from 01al10015010057.ad.bls.com ([90.152.5.141] [90.152.5.141])
1021             # by aismtp3g.bls.com with ESMTP; Mon, 10 Mar 2003 11:10:41 -0500
1022 39 50       91 if (/^(\S+) \(\[(\S+)\] \[(\S+)\]\) by (\S+) with /) {
1023             # not sure what $3 is ;)
1024 0         0 $helo = $1; $ip = $2; $by = $4;
  0         0  
  0         0  
1025 0         0 goto enough;
1026             }
1027              
1028             # Received: from 206.47.0.153 by dm3cn8.bell.ca with ESMTP (Tumbleweed MMS
1029             # SMTP Relay (MMS v5.0)); Mon, 24 Mar 2003 19:49:48 -0500
1030 39 100       840 if (/^(${IP_ADDRESS}) by (\S+) with /) {
1031 1         5 $ip = $1; $by = $2;
  1         4  
1032 1         68 goto enough;
1033             }
1034              
1035             # Received: from pobox.com (h005018086b3b.ne.client2.attbi.com[66.31.45.164])
1036             # by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <2003031302165605300suph7e>;
1037             # Thu, 13 Mar 2003 02:16:56 +0000
1038 38 50       725 if (/^(\S+) \((\S+)\[(${IP_ADDRESS})\]\) by (\S+) /) {
1039 0         0 $mta_looked_up_dns = 1;
1040 0         0 $helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough;
  0         0  
  0         0  
  0         0  
  0         0  
1041             }
1042              
1043             # Received: from [10.128.128.81]:50999 (HELO dfintra.f-secure.com) by fsav4im2 ([10.128.128.74]:25) (F-Secure Anti-Virus for Internet Mail 6.0.34 Release) with SMTP; Tue, 5 Mar 2002 14:11:53 -0000
1044 38 50       784 if (/^\[(${IP_ADDRESS})\]\S+ \((?:HELO|EHLO) (\S*)\) by (\S+) /) {
1045 0         0 $ip = $1; $helo = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
1046             }
1047              
1048             # Received: from 62.180.7.250 (HELO daisy) by smtp.altavista.de (209.228.22.152) with SMTP; 19 Sep 2002 17:03:17 +0000
1049 38 50       801 if (/^(${IP_ADDRESS}) \((?:HELO|EHLO) (\S*)\) by (\S+) /) {
1050 0         0 $ip = $1; $helo = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
1051             }
1052              
1053             # Received: from oemcomputer [63.232.189.195] by highstream.net (SMTPD32-7.07) id A4CE7F2A0028; Sat, 01 Feb 2003 21:39:10 -0500
1054 38 50       672 if (/^(\S+) \[(${IP_ADDRESS})\] by (\S+) /) {
1055 0         0 $helo = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
1056             }
1057              
1058             # from nodnsquery(192.100.64.12) by herbivore.monmouth.edu via csmap (V4.1) id srcAAAyHaywy
1059 38 50       723 if (/^(\S+)\((${IP_ADDRESS})\) by (\S+) /) {
1060 0         0 $rdns = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
1061             }
1062              
1063             # Received: from [192.168.0.13] by <server> (MailGate 3.5.172) with SMTP;
1064             # Tue, 1 Apr 2003 15:04:55 +0100
1065 38 50       721 if (/^\[(${IP_ADDRESS})\] by (\S+) \(MailGate /) {
1066 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
1067             }
1068              
1069             # Received: from jmason.org (unverified [195.218.107.131]) by ni-mail1.dna.utvinternet.net <B0014212518@ni-mail1.dna.utvinternet.net>; Tue, 11 Feb 2003 12:18:12 +0000
1070 38 50       704 if (/^(\S+) \(unverified \[(${IP_ADDRESS})\]\) by (\S+) /) {
1071 0         0 $helo = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
1072             }
1073              
1074             # # from 165.228.131.11 (proxying for 139.130.20.189) (SquirrelMail authenticated user jmmail) by jmason.org with HTTP
1075             # if (/^from (\S+) \(proxying for (${IP_ADDRESS})\) \([A-Za-z][^\)]+\) by (\S+) with /) {
1076             # $ip = $2; $by = $3; goto enough;
1077             # }
1078 38 50       883 if (/^(${IP_ADDRESS}) \([A-Za-z][^\)]+\) by (\S+) with /) {
1079 0         0 $ip = $1; $by = $2; goto enough;
  0         0  
  0         0  
1080             }
1081              
1082             # Received: from [212.87.144.30] (account seiz [212.87.144.30] verified) by x.imd.net (CommuniGate Pro SMTP 4.0.3) with ESMTP-TLS id 5026665 for spamassassin-talk@lists.sourceforge.net; Wed, 15 Jan 2003 16:27:05 +0100
1083             # bug 4704 This pattern was checked as just an Exim format, but it does exist elsewhere
1084             # Received: from [206.51.230.145] (helo=t-online.de)
1085             # by mxeu2.kundenserver.de with ESMTP (Nemesis),
1086             # id 0MKpdM-1CkRpr14PF-000608; Fri, 31 Dec 2004 19:49:15 +0100
1087             # Received: from [218.19.142.229] (helo=hotmail.com ident=yiuhyotp)
1088             # by yzordderrex with smtp (Exim 3.35 #1 (Debian)) id 194BE5-0005Zh-00; Sat, 12 Apr 2003 03:58:53 +0100
1089 38 100       741 if (/^\[(${IP_ADDRESS})\] \(([^\)]+)\) by (\S+) /) {
1090 3         11 $ip = $1; my $sub = $2; $by = $3;
  3         6  
  3         6  
1091 3 100       12 $sub =~ s/helo=(\S+)// and $helo = $1;
1092 3 50       8 $sub =~ s/ident=(\S*)// and $ident = $1;
1093 3         206 goto enough;
1094             }
1095              
1096             # Received: from mtsbp606.email-info.net (?dXqpg3b0hiH9faI2OxLT94P/YKDD3rQ1?@64.253.199.166) by kde.informatik.uni-kl.de with SMTP; 30 Apr 2003 15:06:29
1097 35 50       779 if (/^(\S+) \((?:\S+\@)?(${IP_ADDRESS})\) by (\S+) with /) {
1098 0         0 $rdns = $1; $ip = $2; $by = $3; goto enough;
  0         0  
  0         0  
  0         0  
1099             }
1100              
1101             # Obtuse smtpd: http://www.obtuse.com/
1102             # Received: from TCE-E-7-182-54.bta.net.cn(202.106.182.54) via SMTP
1103             # by st.tahina.priv.at, id smtpdEDUB8h; Sun Nov 13 14:50:12 2005
1104             # Received: from pl027.nas934.d-osaka.nttpc.ne.jp(61.197.82.27), claiming to be "foo.woas.net" via SMTP
1105             # by st.tahina.priv.at, id smtpd1PBsZT; Sun Nov 13 15:38:52 2005
1106 35 100       757 if (/^(\S+)\((${IP_ADDRESS})\)(?:, claiming to be "(\S+)")? via \S+ by (\S+),/) {
1107 2 100       9 $rdns = $1; $ip = $2; $helo = (defined $3) ? $3 : ''; $by = $4;
  2         4  
  2         8  
  2         4  
1108 2 50       341 if ($1 ne 'UNKNOWN') {
1109 2         7 $mta_looked_up_dns = 1;
1110 2         6 $rdns = $1;
1111             }
1112 2         141 goto enough;
1113             }
1114              
1115             # Yahoo Authenticated SMTP; Bug #6535
1116             # from itrqtnlnq (lucilleskinner@93.124.107.183 with login) by smtp111.mail.ne1.yahoo.com with SMTP; 17 Jan 2011 08:23:27 -0800 PST
1117 33 50       713 if (/^(\S+) \((\S+)@(${IP_ADDRESS}) with login\) by (\S+\.yahoo\.com) with SMTP/) {
1118 0         0 $helo = $1; $ip = $3; $by = $4; goto enough;
  0         0  
  0         0  
  0         0  
1119             }
1120              
1121             # a synthetic header, generated internally:
1122             # Received: X-Originating-IP: 1.2.3.4
1123 33 100       108 if (/^X-Originating-IP: (\S+)$/) {
1124 4         15 $ip = $1; $by = ''; goto enough;
  4         9  
  4         301  
1125             }
1126              
1127             ## STUFF TO IGNORE ##
1128              
1129             # Received: from raptor.research.att.com (bala@localhost) by
1130             # raptor.research.att.com (SGI-8.9.3/8.8.7) with ESMTP id KAA14788
1131             # for <asrg@example.com>; Fri, 7 Mar 2003 10:37:56 -0500 (EST)
1132             # make this localhost-specific, so we know it's safe to ignore
1133 29 100       262 if (/^\S+ \([^\s\@]+\@${LOCALHOST}\) by \S+ \(/) { return 0; }
  1         13  
1134              
1135             # from paul (helo=felix) by felix.peema.org with local-esmtp (Exim 4.43)
1136             # id 1Ccq0j-0002k2-Lk; Fri, 10 Dec 2004 19:01:01 +0000
1137             # Exim doco says this is local submission, cf switch -oMr
1138 28 50       64 if (/^\S+ \S+ by \S+ with local-e?smtp /) { return 0; }
  0         0  
1139              
1140             # from 127.0.0.1 (AVG SMTP 7.0.299 [265.6.8]); Wed, 05 Jan 2005 15:06:48 -0800
1141 28 50       52 if (/^127\.0\.0\.1 \(AVG SMTP \S+ \[\S+\]\)/) { return 0; }
  0         0  
1142              
1143             # from qmail-scanner-general-admin@lists.sourceforge.net by alpha by uid 7791 with qmail-scanner-1.14 (spamassassin: 2.41. Clear:SA:0(-4.1/5.0):. Processed in 0.209512 secs)
1144 28 100       60 if (/^\S+\@\S+ by \S+ by uid \S+ /) { return 0; }
  1         14  
1145              
1146             # Received: from DSmith1204@aol.com by imo-m09.mx.aol.com (mail_out_v34.13.) id 7.53.208064a0 (4394); Sat, 11 Jan 2003 23:24:31 -0500 (EST)
1147 27 100       81 if (/^\S+\@\S+ by \S+ /) { return 0; }
  1         16  
1148              
1149             # Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Fri, 17 Jan 2003 15:23:29 -0000
1150 26 50       49 if (/^Unknown\/Local \(/) { return 0; }
  0         0  
1151              
1152             # Received: from localhost (mailnull@localhost) by x.org (8.12.6/8.9.3)
1153             # with SMTP id h2R2iivG093740; Wed, 26 Mar 2003 20:44:44 -0600
1154             # (CST) (envelope-from x@x.org)
1155             # Received: from localhost (localhost [127.0.0.1]) (uid 500) by mail with local; Tue, 07 Jan 2003 11:40:47 -0600
1156 26 50       439 if (/^${LOCALHOST} \((?:\S+\@)?${LOCALHOST}[\)\[]/) { return 0; }
  0         0  
1157              
1158             # Received: from olgisoft.com (127.0.0.1) by 127.0.0.1 (EzMTS MTSSmtp
1159             # 1.55d5) ; Thu, 20 Mar 03 10:06:43 +0100 for <asrg@ietf.org>
1160 26 50       255 if (/^\S+ \((?:\S+\@)?${LOCALHOST}\) /) { return 0; }
  0         0  
1161              
1162             # Received: from casper.ghostscript.com (raph@casper [127.0.0.1]) h148aux8016336verify=FAIL); Tue, 4 Feb 2003 00:36:56 -0800
1163 26 50       266 if (/^\S+ \(\S+\@\S+ \[${LOCALHOST}\]\) /) { return 0; }
  0         0  
1164              
1165             # Received: from (AUTH: e40a9cea) by vqx.net with esmtp (courier-0.40) for <asrg@ietf.org>; Mon, 03 Mar 2003 14:49:28 +0000
1166 26 50       59 if (/^\(AUTH: \S+\) by \S+ with /) { return 0; }
  0         0  
1167              
1168             # from localhost (localhost [[UNIX: localhost]]) by home.barryodonovan.com
1169             # (8.12.11/8.12.11/Submit) id iBADHRP6011034; Fri, 10 Dec 2004 13:17:27 GMT
1170 26 50       52 if (/^localhost \(localhost \[\[UNIX: localhost\]\]\) by /) { return 0; }
  0         0  
1171              
1172             # Internal Amazon traffic
1173             # Received: from dc-mail-3102.iad3.amazon.com by mail-store-2001.amazon.com with ESMTP (peer crosscheck: dc-mail-3102.iad3.amazon.com)
1174 26 50       51 if (/^\S+\.amazon\.com by \S+\.amazon\.com with ESMTP \(peer crosscheck: /) { return 0; }
  0         0  
1175              
1176             # Received: from GWGC6-MTA by gc6.jefferson.co.us with Novell_GroupWise; Tue, 30 Nov 2004 10:09:15 -0700
1177 26 50       53 if (/^[^\.]+ by \S+ with Novell_GroupWise/) { return 0; }
  0         0  
1178              
1179             # Received: from no.name.available by [165.224.43.143] via smtpd (for [165.224.216.89]) with ESMTP; Fri, 28 Jan 2005 13:06:39 -0500
1180             # Received: from no.name.available by [165.224.216.88] via smtpd (for lists.sourceforge.net [66.35.250.206]) with ESMTP; Fri, 28 Jan 2005 15:42:30 -0500
1181             # These are from an internal host protected by a Raptor firewall, to hosts
1182             # outside the firewall. We can only ignore the handover since we don't have
1183             # enough info in those headers; however, from googling, it appears that
1184             # all samples are cases where the handover is safely ignored.
1185 26 50       43 if (/^no\.name\.available by \S+ via smtpd \(for /) { return 0; }
  0         0  
1186              
1187             # from 156.56.111.196 by blazing.arsecandle.org (envelope-from <gentoo-announce-return-530-rod=arsecandle.org@lists.gentoo.org>, uid 502) with qmail-scanner-1.24 (clamdscan: 0.80/594. f-prot: 4.4.2/3.14.11. Clear:RC:0(156.56.111.196):. Processed in 0.288806 secs); 06 Feb 2005 21:11:38 -0000
1188             # these are safe to ignore. the previous handover line has the full
1189             # details of the handover described here, it's just qmail-scanner
1190             # logging a little more.
1191 26 100       53 if (/^\S+ by \S+ \(.{0,100}\) with qmail-scanner/) {
1192 1         6 $envfrom =~ s/^\s*<*//gs; $envfrom =~ s/>*\s*$//gs;
  1         16  
1193 1         4 $envfrom =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs;
1194 1         5 $self->{qmail_scanner_env_from} = $envfrom; # hack!
1195 1         18 return 0;
1196             }
1197              
1198             # Received: from mmail by argon.connect.org.uk with local (connectmail/exim)
1199             # id 18tOsg-0008FX-00; Thu, 13 Mar 2003 09:20:06 +0000
1200 25 50       53 if (/^\S+ by \S+ with local/) { return 0; }
  0         0  
1201              
1202             # Local unix socket handover from Cyrus, tested with v2.3.14
1203             # Received: from testintranator.net.vm ([unix socket])_ by testintranator.net.vm (Cyrus v2.3.14) with LMTPA;_ Tue, 21 Jul 2009 14:34:14 +0200
1204             # Attention: Actually the received header is parsed as "testintranator.net.vm ([unix socket]) by testintranator.net.vm (Cyrus v2.3.14) with LMTPA", "from" is ommited.
1205 25 50       56 if (/^\S+ \(\[unix socket\]\) by \S+ \(Cyrus v[0-9]*?\.[0-9]*?\.[0-9]*?\) with LMTPA/) { return 0; }
  0         0  
1206              
1207             # HANDOVERS WE KNOW WE CAN'T DEAL WITH: TCP transmission, but to MTAs that
1208             # just don't log enough info for us to use (ie. no IP address present).
1209             # Note: "return 0" is strongly recommended here, unless you're sure
1210             # the regexp won't match something in the field; otherwise ALL_TRUSTED may
1211             # fire even in the presence of an unparseable Received header.
1212              
1213             # Received: from CATHY.IJS.SI by CATHY.IJS.SI (PMDF V4.3-10 #8779) id <01KTSSR50NSW001MXN@CATHY.IJS.SI>; Fri, 21 Mar 2003 20:50:56 +0100
1214             # Received: from MATT_LINUX by hippo.star.co.uk via smtpd (for mail.webnote.net [193.120.211.219]) with SMTP; 3 Jul 2002 15:43:50 UT
1215             # Received: from cp-its-ieg01.mail.saic.com by cpmx.mail.saic.com for me@jmason.org; Tue, 23 Jul 2002 14:09:10 -0700
1216 25 100       107 if (/^\S+ by \S+ (?:with|via|for|\()/) { return 0; }
  20         272  
1217              
1218             # from senmail2.senate.gov with LMTP by senmail2 (3.0.2/sieved-3-0-build-942) for <example@vandinter.org>; Fri, 30 Jun 2006 10:58:41 -0400
1219             # from zimbramail.artsit.org.uk (unverified) by MAILSWEEP.birminghamartsit.org.uk (Clearswift SMTPRS 5.1.7) with ESMTP id <T78926b35f2c0a80003da8@MAILSWEEP.birminghamartsit.org.uk> for <discuss@lists.surbl.org>; Tue, 30 May 2006 15:56:15 +0100
1220 5 100       21 if (/^\S+ (?:(?:with|via|for) \S+|\(unverified\)) by\b/) { return 0; }
  2         25  
1221              
1222             # from DL1GSPMX02 (dl1gspmx02.gamestop.com) by email.ebgames.com (LSMTP for Windows NT v1.1b) with SMTP id <21.000575A0@email.ebgames.com>; Tue, 12 Sep 2006 21:06:43 -0500
1223 3 100       9 if (/\(LSMTP for/) { return 0; }
  1         13  
1224            
1225             # if at this point we still haven't figured out the HELO string, see if we
1226             # can't just guess
1227 2 100 66     18 if (!$helo && /^(\S+)[^-A-Za-z0-9\.]/) { $helo = $1; }
  1         9  
1228             }
1229              
1230             # ---------------------------------------------------------------------------
1231              
1232             elsif (s/^FROM //) {
1233             # simta: http://rsug.itd.umich.edu/software/simta/
1234             # Note the ugly uppercase FROM/BY/ID
1235             # Received: FROM hackers.mr.itd.umich.edu (smtp.mail.umich.edu [141.211.14.81])
1236             # BY madman.mr.itd.umich.edu ID 434B508E.174A6.13932 ; 11 Oct 2005 01:41:34 -0400
1237             # Received: FROM [192.168.1.24] (s233-64-90-216.try.wideopenwest.com [64.233.216.90])
1238             # BY hackers.mr.itd.umich.edu ID 434B5051.8CDE5.15436 ; 11 Oct 2005 01:40:33 -0400
1239 2 50       273 if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\) BY (\S+) ID (\S+)$/ ) {
1240 2         6 $mta_looked_up_dns = 1;
1241 2         7 $helo = $1; $rdns = $2; $ip = $3; $by = $4; $id = $5;
  2         4  
  2         10  
  2         5  
  2         3  
1242 2         133 goto enough;
1243             }
1244             }
1245              
1246             # ---------------------------------------------------------------------------
1247              
1248             elsif (s/^\(from //) {
1249             # Norton AntiVirus Gateway
1250             # Received: (from localhost [24.180.47.240])
1251             # by host.name (NAVGW 2.5.2.12) with SMTP id M2006060503484615455
1252             # for <user@domain.co.uk>; Mon, 05 Jun 2006 03:48:47 +0100
1253 5 100       862 if (/^(\S*) \[(${IP_ADDRESS})\]\) by (\S+) \(NAVGW .*?\) with /) {
1254 1         5 $helo = $1; $ip = $2; $by = $3;
  1         4  
  1         2  
1255 1         144 goto enough;
1256             }
1257              
1258             # header produced by command line /usr/bin/sendmail -t -f username@example.com
1259             # Received: (from username@localhost) by home.example.com
1260             # (8.12.11/8.12.11/Submit) id iBADHRP6011034; Fri, 10 Dec 2004 13:17:27 GMT
1261 4 50       90 if (/^\S+\@localhost\) by \S+ /) { return 0; }
  4         34  
1262              
1263             # Received: (from vashugins@juno.com) by m06.lax.untd.com (jqueuemail) id LRVB3JAJ; Fri, 02 Jun 2006 08:15:21 PDT
1264 0 0       0 if (/^[^\s\@]+\@[^)]+\) by \S+\(jqueuemail\) id [^\s;]+/) { return 0; }
  0         0  
1265             }
1266              
1267             # ---------------------------------------------------------------------------
1268              
1269             # FALL-THROUGH: OK, at this point let's try some general patterns for things
1270             # we may not have already parsed out.
1271 2 50 33     244 if (!$ip && /\[(${IP_ADDRESS})\]/) { $ip = $1; }
  2         7  
1272              
1273             # ---------------------------------------------------------------------------
1274              
1275             # We need to have a minimal amount of information to have a useful parse.
1276             # If we have the IP and the "by" name, move forward. If we don't, we'll
1277             # drop into the unparseable area.
1278 2 50 33     12 if ($ip && $by) { goto enough; }
  2         9  
1279              
1280             # Ok, we can't handle this header, go ahead and return that.
1281 0         0 return;
1282              
1283             # ---------------------------------------------------------------------------
1284              
1285             enough:
1286              
1287             # OK, line parsed (at least partially); now deal with the contents
1288              
1289             # flag handovers we couldn't get an IP address from at all
1290 177 50       618 if ($ip eq '') {
1291 0         0 dbg("received-header: could not parse IP address from: $_");
1292             }
1293              
1294             # DISABLED: if we cut out localhost-to-localhost SMTP handovers,
1295             # we will give FPs on SPF checks -- since the SMTP "MAIL FROM" addr
1296             # will be recorded, but we won't have the relays handover recorded
1297             # for that SMTP transaction, so we wind up checking the wrong IP
1298             # for the addr.
1299 177         259 if (0) {
1300             if ($ip eq '127.0.0.1') {
1301             dbg("received-header: ignoring localhost handover");
1302             return 0; # ignore localhost handovers
1303             }
1304             }
1305              
1306 177 50       1086 if ($rdns =~ /^unknown$/i) {
1307 0         0 $rdns = ''; # some MTAs seem to do this
1308             }
1309            
1310 177         448 $ip =~ s/^ipv6://i; # remove "IPv6:" prefix
1311 177         345 $ip =~ s/^\[//; $ip =~ s/\]\z//;
  177         302  
1312              
1313             # IPv6 Scoped Address (RFC 4007, RFC 6874, RFC 3986 "unreserved" charset)
1314 177         307 $ip =~ s/%[A-Z0-9._~-]*\z//si; # scoped address? remove <zone_id>
1315              
1316             # remove "::ffff:" prefix from IPv4-mapped-in-IPv6 addresses,
1317             # so we can treat them simply as IPv4 addresses
1318             # (only handles 'alternative form', not 'preferred form' - to be improved)
1319 177         283 $ip =~ s/^0*:0*:(?:0*:)*ffff:(\d+\.\d+\.\d+\.\d+)$/$1/i;
1320              
1321 177         883 $envfrom =~ s/^\s*<*//gs; $envfrom =~ s/>*\s*$//gs;
  177         793  
1322 177         353 $by =~ s/\;$//;
1323              
1324             # ensure invalid chars are stripped. Replace with '!' to flag their
1325             # presence, though. NOTE: this means "[1.2.3.4]" IP addr HELO
1326             # strings, which are legit by RFC-2821, look like "!1.2.3.4!".
1327             # still useful though.
1328 177         384 $ip =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs;
1329 177         333 $rdns =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs;
1330 177         354 $helo =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs;
1331 177         329 $by =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs;
1332 177         257 $ident =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs;
1333 177         253 $envfrom =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs;
1334              
1335 177         1734 my $relay = {
1336             ip => $ip,
1337             by => $by,
1338             helo => $helo,
1339             id => $id,
1340             ident => $ident,
1341             envfrom => $envfrom,
1342             lc_by => (lc $by),
1343             lc_helo => (lc $helo),
1344             auth => $auth
1345             };
1346              
1347 177 100       481 if ($rdns eq '') {
1348 60 100       119 if ($mta_looked_up_dns) {
1349             # we know the MTA always does lookups, so this means the host
1350             # really has no rDNS (rather than that the MTA didn't bother
1351             # looking it up for us).
1352 14         28 $relay->{no_reverse_dns} = 1;
1353 14         438 $rdns = '';
1354             } else {
1355 46         103 $relay->{rdns_not_in_headers} = 1;
1356             }
1357             }
1358              
1359 177         411 $relay->{rdns} = $rdns;
1360 177         446 $relay->{lc_rdns} = lc $rdns;
1361              
1362 177         704 $self->make_relay_as_string($relay);
1363              
1364 177         1033 my $is_private = ($ip =~ /${IP_PRIVATE}/o);
1365 177         370 $relay->{ip_private} = $is_private;
1366              
1367             # add it to an internal array so Eval tests can use it
1368 177         1119 return $relay;
1369             }
1370              
1371             sub make_relay_as_string {
1372 288     288 0 1033 my ($self, $relay) = @_;
1373              
1374             # as-string rep. use spaces so things like Bayes can tokenize them easily.
1375             # NOTE: when tokenizing or matching, be sure to note that new
1376             # entries may be added to this string later. However, the *order*
1377             # of entries must be preserved, so that regexps that assume that
1378             # e.g. "ip" comes before "helo" will still work.
1379             #
1380 288         1428 my $asstr = "[ ip=$relay->{ip} rdns=$relay->{rdns} helo=$relay->{helo} by=$relay->{by} ident=$relay->{ident} envfrom=$relay->{envfrom} intl=0 id=$relay->{id} auth=$relay->{auth} msa=0 ]";
1381 288         1109 dbg("received-header: parsed as $asstr");
1382 288         744 $relay->{as_string} = $asstr;
1383             }
1384              
1385             # restart the parse if we find a fetchmail marker or similar.
1386             # spamcop does this, and it's a great idea ;)
1387             sub found_pop_fetcher_sig {
1388 4     4 0 11 my ($self) = @_;
1389 4 100       12 if ($self->{allow_mailfetch_markers}) {
1390 1         5 dbg("received-header: found mail fetcher marker, restarting parse");
1391 1         2 $self->{relays_trusted} = [ ];
1392 1         5 $self->{relays_internal} = [ ];
1393 1         3 $self->{relays_external} = [ ];
1394             } else {
1395 3         12 dbg("received-header: found mail fetcher marker outside trusted area, ignored");
1396             }
1397             }
1398              
1399             # ---------------------------------------------------------------------------
1400              
1401             1;