File Coverage

blib/lib/Mail/SpamAssassin/Message/Metadata/Received.pm

Criterion	Covered	Total	%
statement	538	734	73.3
branch	284	388	73.2
condition	55	83	66.2
subroutine	11	11	100.0
pod	0	4	0.0
total	888	1220	72.7

line	stmt	bran	cond	sub	pod	time	code
1							# <@LICENSE>
2							# Licensed to the Apache Software Foundation (ASF) under one or more
3							# contributor license agreements. See the NOTICE file distributed with
4							# this work for additional information regarding copyright ownership.
5							# The ASF licenses this file to you under the Apache License, Version 2.0
6							# (the "License"); you may not use this file except in compliance with
7							# the License. You may obtain a copy of the License at:
8							#
9							# http://www.apache.org/licenses/LICENSE-2.0
10							#
11							# Unless required by applicable law or agreed to in writing, software
12							# distributed under the License is distributed on an "AS IS" BASIS,
13							# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14							# See the License for the specific language governing permissions and
15							# limitations under the License.
16							# </@LICENSE>
17
18							# ---------------------------------------------------------------------------
19
20							# So, what's the difference between a trusted and untrusted Received header?
21							# Basically, relays we know are trustworthy are 'trusted', all others after
22							# the last one of those are 'untrusted'.
23							#
24							# We determine trust by detecting if they are inside the network ranges
25							# specified in 'trusted_networks'. There is also an inference algorithm
26							# which determines other trusted relays without user configuration.
27							#
28							# There's another type of Received header: the semi-trusted one. This is the
29							# header added by our MX, at the boundary of trust; we can trust the IP
30							# address (and possibly rDNS) in this header, but that's about it; HELO name is
31							# untrustworthy. We just use this internally for now.
32							#
33							# Finally, there's also 'internal_networks'. These are the networks that you
34							# control; your MXes should be included. This way, if you specify a wide range
35							# of trusted hosts, a mail that is relayed from a dynamic IP address via a
36							# 'trusted' host will not hit RCVD_IN_DYNABLOCK.
37
38							# ---------------------------------------------------------------------------
39
40	40			40		273	use strict; # make Test::Perl::Critic happy
	40					102
	40					1915
41							package Mail::SpamAssassin::Message::Metadata::Received; 1;
42
43							package Mail::SpamAssassin::Message::Metadata;
44	40			40		237	use strict;
	40					105
	40					948
45	40			40		221	use warnings;
	40					102
	40					1427
46							# use bytes;
47	40			40		245	use re 'taint';
	40					101
	40					1354
48
49	40			40		11930	use Mail::SpamAssassin::Dns;
	40					356
	40					3619
50	40			40		420	use Mail::SpamAssassin::PerMsgStatus;
	40					167
	40					1609
51	40			40		356	use Mail::SpamAssassin::Constants qw(:ip);
	40					157
	40					282482
52
53							# ---------------------------------------------------------------------------
54
55							sub parse_received_headers {
56	102			102	0	400	my ($self, $permsgstatus, $msg) = @_;
57
58	102					320	my $suppl_attrib = $msg->{suppl_attrib}; # out-of-band info from a caller
59
60							# a caller may assert that a message is coming from inside or from an
61							# authenticated roaming users; this info may not be available in mail
62							# header section, e.g. in case of nonstandard authentication mechanisms
63	102					647	my $originating; # boolean
64	102	100				378	$originating = $suppl_attrib->{originating} if ref $suppl_attrib;
65
66	102					504	$self->{relays_trusted} = [ ];
67	102					388	$self->{num_relays_trusted} = 0;
68	102					412	$self->{relays_trusted_str} = '';
69
70	102					365	$self->{relays_untrusted} = [ ];
71	102					363	$self->{num_relays_untrusted} = 0;
72	102					564	$self->{relays_untrusted_str} = '';
73
74	102					433	$self->{relays_internal} = [ ];
75	102					362	$self->{num_relays_internal} = 0;
76	102					431	$self->{relays_internal_str} = '';
77
78	102					355	$self->{relays_external} = [ ];
79	102					598	$self->{num_relays_external} = 0;
80	102					439	$self->{relays_external_str} = '';
81
82	102					333	$self->{num_relays_unparseable} = 0;
83
84	102					500	$self->{last_trusted_relay_index} = -1; # last counting from the top,
85	102					343	$self->{last_internal_relay_index} = -1; # first in time
86
87	102					314	$self->{allow_mailfetch_markers} = 1; # This needs to be set for the
88							# first Received: header
89							# now figure out what relays are trusted...
90	102					743	my $trusted = $permsgstatus->{main}->{conf}->{trusted_networks};
91	102					264	my $internal = $permsgstatus->{main}->{conf}->{internal_networks};
92	102					267	my $msa = $permsgstatus->{main}->{conf}->{msa_networks};
93	102					267	my $did_user_specify_trust = $permsgstatus->{main}->{conf}->{trusted_networks_configured};
94	102					258	my $did_user_specify_internal = $permsgstatus->{main}->{conf}->{internal_networks_configured};
95	102					222	my $in_trusted = 1;
96	102					181	my $in_internal = 1;
97	102					218	my $found_msa = 0;
98
99	102	100	100			562	unless ($did_user_specify_trust && $did_user_specify_internal) {
100	82	100	100			689	if (!$did_user_specify_trust && !$did_user_specify_internal) {
		100
101	44					252	dbg('config: trusted_networks are not configured; it is recommended '.
102							'that you configure trusted_networks manually');
103							} elsif (!$did_user_specify_internal) {
104							# use 'trusted' for 'internal'; compatibility with SpamAssassin 2.60
105	36					78	$internal = $trusted;
106	36					201	dbg('config: internal_networks not configured, using trusted_networks '.
107							'configuration for internal_networks; if you really want '.
108							'internal_networks to only contain the required 127/8 add '.
109							"'internal_networks !0/0' to your configuration");
110							} else {
111							# use 'internal' for 'trusted'; I don't know why we let people define
112							# internal without trusted, but we do... and we rely on trusted being set
113	2					4	$trusted = $internal;
114	2					8	dbg('config: trusted_networks not configured, using internal_networks '.
115							'configuration for trusted_networks');
116							}
117							}
118
119	102					372	my $IP_ADDRESS = IP_ADDRESS;
120	102					351	my $IP_PRIVATE = IP_PRIVATE;
121	102					268	my $LOCALHOST = LOCALHOST;
122
123	102					875	my @hdrs = $msg->get_header('Received');
124
125							# Now add the single line headers like X-Originating-IP. (bug 5680)
126							# we convert them into synthetic "Received" headers so we can share
127							# code below.
128	102					265	for my $header (@{$permsgstatus->{main}->{conf}->{originating_ip_headers}})
	102					616
129							{
130	332					779	my $str = $msg->get_header($header);
131	332	100	66			1405	next unless ($str && $str =~ m/($IP_ADDRESS)/);
132	4					41	push @hdrs, "from X-Originating-IP: $1\n";
133							}
134
135	102					301	foreach my $line ( @hdrs ) {
136
137							# qmail-scanner support hack: we may have had one of these set from the
138							# previous (read: more recent) Received header. if so, add it on to this
139							# header's set, since that's the handover it was describing.
140
141	71					136	my $qms_env_from;
142	71	50				213	if ($self->{qmail_scanner_env_from}) {
143	0					0	$qms_env_from = $self->{qmail_scanner_env_from};
144	0					0	delete $self->{qmail_scanner_env_from};
145							}
146
147	71					200	$line =~ s/\n[ \t]+/ /gs;
148
149	71					273	my $relay = $self->parse_received_line ($line);
150	71	50				220	if (!defined $relay) {
151	0					0	dbg("received-header: unparseable: $line");
152	0					0	$self->{num_relays_unparseable}++;
153							}
154
155							# undefined or 0 means there's no result, so goto the next header
156	71	100				213	unless ($relay) {
157	5	100				25	$self->{last_trusted_relay_index}++ if $in_trusted;
158	5	100				22	$self->{last_internal_relay_index}++ if $in_internal;
159	5					17	next;
160							}
161
162							# hack for qmail-scanner, as described above; add in the saved
163							# metadata
164	66	50				188	if ($qms_env_from) {
165	0					0	$relay->{envfrom} = $qms_env_from;
166	0					0	$self->make_relay_as_string($relay);
167							}
168
169							# relay status only changes when we're still in the trusted portion of the
170							# relays and we haven't yet found an MSA
171	66	100	100			352	if ($in_trusted && !$found_msa) {
172	46	100	100			234	unless ($did_user_specify_trust \|\| $did_user_specify_internal) {
173							# OK, infer the trusted/untrusted handover, we don't have real info
174	9					19	my $inferred_as_trusted = 0;
175
176							# if the 'from' IP addr is in a reserved net range, it's not on
177							# the public internet.
178	9	100				37	if ($relay->{ip_private}) {
179	4					24	dbg("received-header: 'from' ".$relay->{ip}." has private IP");
180	4					6	$inferred_as_trusted = 1;
181							}
182
183							# if we find authentication tokens in the received header we can extend
184							# the trust boundary to that host
185	9	50				33	if ($relay->{auth}) {
186	0					0	dbg("received-header: authentication method ".$relay->{auth});
187	0					0	$inferred_as_trusted = 1;
188							}
189
190							# if the user didn't specify any trusted/internal config, everything
191							# we assume as trusted is also internal, just like we'd do if they
192							# specified trusted but not any internal networks or vice versa
193	9	100				31	if (!$inferred_as_trusted) {
194	5					20	dbg("received-header: do not trust any hosts from here on");
195	5					8	$in_trusted = 0;
196	5					11	$in_internal = 0;
197							}
198
199							} else {
200							# trusted_networks matches?
201	37	100	66			388	if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) {
202	7	50				26	if (!$originating) {
203	7					21	$in_trusted = 0; # break the trust chain
204							} else { # caller asserts a msg was submitted from inside or auth'd
205	0					0	$found_msa = 1; # let's assume the previous hop was actually
206							# an MSA, and propagate trust from here on
207							dbg('received-header: originating, '.
208							'%s and remaining relays will be considered trusted%s',
209	0	0				0	$relay->{ip}, !$in_internal ? '' : ', but no longer internal');
210							}
211	7					18	$in_internal = 0; # if it's not trusted it's not internal
212							} else {
213							# internal_networks matches?
214	30	100	33			290	if ($in_internal && !$relay->{auth} && !$internal->contains_ip($relay->{ip})) {
			66
215	6					14	$in_internal = 0;
216							}
217							# msa_networks matches?
218	30	100				142	if ($msa->contains_ip($relay->{ip})) {
219	3	50				30	dbg('received-header: found MSA relay, remaining relays will be'.
		100
220							' considered trusted: '.($in_trusted ? 'yes' : 'no').
221							' internal: '.($in_internal ? 'yes' : 'no'));
222	3					8	$found_msa = 1;
223	3					11	$relay->{msa} = 1;
224							}
225							}
226							}
227							}
228
229							dbg("received-header: relay ".$relay->{ip}.
230							" trusted? ".($in_trusted ? "yes" : "no").
231							" internal? ".($in_internal ? "yes" : "no").
232	66	100				644	" msa? ".($relay->{msa} ? "yes" : "no"));
		100
		100
233
234	66					169	$relay->{internal} = $in_internal;
235	66		100			367	$relay->{msa} \|\|= 0;
236
237							# be sure to mark up the as_string version for users too
238	66					667	$relay->{as_string} =~ s/ intl=\d / intl=$relay->{internal} /;
239	66					479	$relay->{as_string} =~ s/ msa=\d / msa=$relay->{msa} /;
240
241	66	100				251	if ($in_trusted) {
242	37					85	push (@{$self->{relays_trusted}}, $relay);
	37					112
243	37					120	$self->{allow_mailfetch_markers} = 1;
244	37					86	$self->{last_trusted_relay_index}++;
245							} else {
246	29					54	push (@{$self->{relays_untrusted}}, $relay);
	29					85
247	29					61	$self->{allow_mailfetch_markers} = 0;
248							}
249
250	66	100				178	if ($in_internal) {
251	30					65	push (@{$self->{relays_internal}}, $relay);
	30					88
252	30					120	$self->{last_internal_relay_index}++;
253							} else {
254	36					62	push (@{$self->{relays_external}}, $relay);
	36					123
255							}
256							}
257
258	36					187	$self->{relays_trusted_str} = join(' ', map { $_->{as_string} }
259	102					234	@{$self->{relays_trusted}});
	102					443
260	29					98	$self->{relays_untrusted_str} = join(' ', map { $_->{as_string} }
261	102					589	@{$self->{relays_untrusted}});
	102					476
262	29					95	$self->{relays_internal_str} = join(' ', map { $_->{as_string} }
263	102					248	@{$self->{relays_internal}});
	102					627
264	36					107	$self->{relays_external_str} = join(' ', map { $_->{as_string} }
265	102					235	@{$self->{relays_external}});
	102					383
266
267							# OK, we've now split the relay list into trusted and untrusted.
268
269							# add the stringified representation to the message object, so Bayes
270							# and rules can use it. Note that rule_tests.t does not impl put_metadata,
271							# so protect against that here. These will not appear in the final
272							# message; they're just used internally.
273
274	102	50				725	if ($self->{msg}->can ("delete_header")) {
275	102					589	$self->{msg}->delete_header ("X-Spam-Relays-Trusted");
276	102					532	$self->{msg}->delete_header ("X-Spam-Relays-Untrusted");
277	102					523	$self->{msg}->delete_header ("X-Spam-Relays-Internal");
278	102					491	$self->{msg}->delete_header ("X-Spam-Relays-External");
279
280	102	50				703	if ($self->{msg}->can ("put_metadata")) {
281							$self->{msg}->put_metadata ("X-Spam-Relays-Trusted",
282	102					579	$self->{relays_trusted_str});
283							$self->{msg}->put_metadata ("X-Spam-Relays-Untrusted",
284	102					455	$self->{relays_untrusted_str});
285							$self->{msg}->put_metadata ("X-Spam-Relays-Internal",
286	102					424	$self->{relays_internal_str});
287							$self->{msg}->put_metadata ("X-Spam-Relays-External",
288	102					396	$self->{relays_external_str});
289							}
290							}
291
292							# be helpful; save some cumbersome typing
293	102					321	$self->{num_relays_trusted} = scalar (@{$self->{relays_trusted}});
	102					308
294	102					204	$self->{num_relays_untrusted} = scalar (@{$self->{relays_untrusted}});
	102					231
295	102					220	$self->{num_relays_internal} = scalar (@{$self->{relays_internal}});
	102					265
296	102					184	$self->{num_relays_external} = scalar (@{$self->{relays_external}});
	102					252
297
298	102					586	dbg("metadata: X-Spam-Relays-Trusted: ".$self->{relays_trusted_str});
299	102					627	dbg("metadata: X-Spam-Relays-Untrusted: ".$self->{relays_untrusted_str});
300	102					531	dbg("metadata: X-Spam-Relays-Internal: ".$self->{relays_internal_str});
301	102					517	dbg("metadata: X-Spam-Relays-External: ".$self->{relays_external_str});
302							}
303
304							# ---------------------------------------------------------------------------
305
306							# returns undef if the header just couldn't be parsed
307							# returns 0 if the header was specifically skipped
308							# returns a hash of information if the header is parsed, including:
309							# ip => $ip,
310							# by => $by,
311							# helo => $helo,
312							# id => $id,
313							# ident => $ident,
314							# envfrom => $envfrom,
315							# lc_by => (lc $by),
316							# lc_helo => (lc $helo),
317							# auth => $auth
318							#
319							sub parse_received_line {
320	216			216	0	49895	my ($self) = shift;
321	216					497	local ($_) = shift;
322	216					1202	local ($1,$2,$3,$4,$5,$6);
323
324	216					2705	s/\s+/ /g;
325	216					529	s/^ //;
326	216					559	s/ $//;
327
328							# get rid of invalid semicolon at the end of the header
329	216					666	1 while s/\s?;$//;
330
331	216					393	my $ip = '';
332	216					323	my $helo = '';
333	216					290	my $rdns = '';
334	216					333	my $by = '';
335	216					319	my $id = '';
336	216					273	my $ident = '';
337	216					343	my $envfrom = '';
338	216					334	my $mta_looked_up_dns = 0;
339	216					278	my $IP_ADDRESS = IP_ADDRESS;
340	216					309	my $IP_PRIVATE = IP_PRIVATE;
341	216					326	my $LOCALHOST = LOCALHOST;
342	216					316	my $auth = '';
343
344							# ---------------------------------------------------------------------------
345
346							# We care about lines starting with from. all of the others are ignorable:
347							# Bug 4943: give /^(from/ a chance to be parsed
348							#
349							# (qmail 27981 invoked by uid 225); 14 Mar 2003 07:24:34 -0000
350							# (qmail 84907 invoked from network); 13 Feb 2003 20:59:28 -0000
351							# (ofmipd 208.31.42.38); 17 Mar 2003 04:09:01 -0000
352							# by faerber.muc.de (OpenXP/32 v3.9.4 (Win32) alpha @ 2003-03-07-1751d); 07 Mar 2003 22:10:29 +0000
353							# by x.x.org (bulk_mailer v1.13); Wed, 26 Mar 2003 20:44:41 -0600
354							# by SPIDERMAN with Internet Mail Service (5.5.2653.19) id <19AF8VY2>; Tue, 25 Mar 2003 11:58:27 -0500
355							# by oak.ein.cz (Postfix, from userid 1002) id DABBD1BED3; Thu, 13 Feb 2003 14:02:21 +0100 (CET)
356							# OTM-MIX(otm-mix00) id k5N1aDtp040896; Fri, 23 Jun 2006 10:36:14 +0900 (JST)
357							# at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2) from infodrom.org by finlandia.Infodrom.North.DE via smail from stdin id <m1FglM8-000okjC@finlandia.Infodrom.North.DE> for debian-security-announce@lists.debian.org; Thu, 18 May 2006 18:28:08 +0200 (CEST)
358							# with ECARTIS (v1.0.0; list bind-announce); Fri, 18 Aug 2006 07:19:58 +0000 (UTC)
359							# Received: Message by Barricade wilhelm.eyp.ee with ESMTP id h1I7hGU06122 for <spamassassin-talk@lists.sourceforge.net>; Tue, 18 Feb 2003 09:43:16 +0200
360	216	100				872	return 0 if (!/^\(?from /i);
361
362							# from www-data by wwwmail.documenta.de (Exim 4.50) with local for <example@vandinter.org> id 1GFbZc-0006QV-L8; Tue, 22 Aug 2006 21:06:04 +0200
363							# from server.yourhostingaccount.com with local for example@vandinter.org id 1GDtdl-0002GU-QE (8710); Thu, 17 Aug 2006 21:59:17 -0400
364	214	50				596	return 0 if /\bwith local for\b/;
365
366							# Received: from virtual-access.org by bolero.conactive.com ; Thu, 20 Feb 2003 23:32:58 +0100
367							# Received: FROM ca-ex-bridge1.nai.com BY scwsout1.nai.com ; Fri Feb 07 10:18:12 2003 -0800
368							# but not: Received: from [86.122.158.69] by mta2.iomartmail.com; Thu, 2 Aug 2007 21:50:04 -0200
369	214	100	100			968	if (/^from (\S+) by [^\s;]+ ?;/i && $1 !~ /^\[[\d.]+\]$/) { return 0; }
	1					6
370
371							# ---------------------------------------------------------------------------
372
373							# Let's get rid of the date at the end
374							# ; Tue, 23 May 2006 13:06:35 -0400
375	213					2575	s/[\s;]+(?:(?:Mon\|T(?:ue\|hu)\|Wed\|Fri\|S(?:at\|un)), )?\d+ (?:J(?:an\|u[nl])\|Feb\|Ma[ry]\|A(?:pr\|ug)\|Sep\|Oct\|Nov\|Dec) \d+ \d+:\d+(?::\d+)? \S+$//;
376
377							# from av0001.technodiva.com (localhost [127.0.0.1])by localhost.technodiva.com (Postfix) with ESMTP id 846CF2117for <proftp-user@lists.sourceforge.net>; Mon, 7 Aug 2006 17:48:07 +0200 (MEST)
378	213					544	s/\)by /) by /;
379
380							# ---------------------------------------------------------------------------
381
382							# OK -- given knowledge of most Received header formats,
383							# break them down. We have to do something like this, because
384							# some MTAs will swap position of rdns and helo -- so we can't
385							# simply use simplistic regexps.
386
387							# try to catch unique message identifier
388	213	100				787	if (/ id <?([^\s<>;]{3,})/) {
389	112					300	$id = $1;
390							}
391
392	213	100				1229	if (/\bhelo=([-A-Za-z0-9\.\^+_&:=?!@%\$\\\/]+)(?:[^-A-Za-z0-9\.\^+_&:=?!@%\$\\\/]\|$)/) {
		100
393	9					22	$helo = $1;
394							}
395							elsif (/\b(?:HELO\|EHLO) ([-A-Za-z0-9\.\^+_&:=?!@%\$\\\/]+)(?:[^-A-Za-z0-9\.\^+_&:=?!@%\$\\\/]\|$)/) {
396	17					41	$helo = $1;
397							}
398	213	100				778	if (/ by (\S+)(?:[^-A-Za-z0-9\;\.]\|$)/) { $by = $1; }
	207					502
399
400							# ---------------------------------------------------------------------------
401
402							# try to catch authenticated message identifier
403							#
404							# with ESMTPA, ESMTPSA, LMTPA, LMTPSA should cover RFC 3848 compliant MTAs,
405							# UTF8SMTPA and UTF8LMTPA are covered by RFC 4954 and RFC 6531,
406							# with ASMTP (Authenticated SMTP) is used by Earthlink, Exim 4.34, and others
407							# with HTTP should only be authenticated webmail sessions
408							# with HTTPU is used by Communigate Pro with Pronto! webmail interface
409							# with HTTPS is used by Horde adjusts the Received header to say "HTTPS" when
410							# a connection is made over HTTPS
411							# IANA registry: http://www.iana.org/assignments/mail-parameters/mail-parameters.xhtml
412	213	100	100			6693	if (/ by / && / with ((?:ES\|L\|UTF8S\|UTF8L)MTPS?A\|ASMTP\|HTTP[SU]?)(?: \|;\|$)/i) {
		50	33
		100	100
		100	66
		100	66
		100	100
		100
		50
		50
		100
413	14					32	$auth = $1;
414							}
415							# GMail should use ESMTPSA to indicate that it is in fact authenticated,
416							# but doesn't.
417							elsif (/ by mx\.google\.com with ESMTPS id [a-z0-9]{1,4}sm[0-9]{2,9}[a-z]{3}\.[0-9]{1,3}\.[0-9]{4}\.(?:[0-6][0-9]\.){4}[0-6][0-9]/ && /$version=([^ ]+) cipher=([^$]+)\)/ ) {
418	0					0	$auth = 'GMail - transport=' . $1 . ' cipher=' . $2;
419							}
420							# Courier v0.47 and possibly others
421							elsif (/^from .?(?:\]\)\|\)\]) $AUTH: (LOGIN\|PLAIN\|DIGEST-MD5\|CRAM-MD5) \S+(?:, .?)?$ by /) {
422	4					10	$auth = $1;
423							}
424							# Sendmail, MDaemon, some webmail servers, and others
425							elsif (/authenticated/ && /^from .?(?:\](?: $[^)]$)?\)\|\)\]) .?$.?authenticated.?$.? by/) {
426	6					15	$auth = 'Sendmail';
427							}
428							# workaround for GMX, which authenticates users but does not indicate it properly - # SMTP version
429							elsif (/from \S* $(?:HELO\|EHLO) (\S*)$ \[(${IP_ADDRESS})\] by (mail\.gmx\.(?:net\|com)) $[^$]+\) with ((?:ESMTP\|SMTP))/) {
430	1					7	$auth = "GMX ($4 / $3)";
431							}
432							# Critical Path Messaging Server
433							elsif (/ $authenticated as /&&/$ by .+ $\d{1,2}\.\d\.\d{3}(?:\.\d{1,3})?$ $authenticated as .+$ id /) {
434	3					10	$auth = 'CriticalPath';
435							}
436							# Postfix 2.3 and later with "smtpd_sasl_authenticated_header yes"
437							elsif (/\) $Authenticated sender: \S+$ by \S+ $Postfix$ with /) {
438	1					4	$auth = 'Postfix';
439							}
440							# Communigate Pro - Bug 6495 adds HTTP as possible transmission method
441							# Bug 7277: XIMSS used by Pronto and other custom apps, IMAP supports XMIT extension
442							elsif (/CommuniGate Pro (HTTP\|SMTP\|XIMSS\|IMAP)/ && / \(account /) {
443	0					0	$auth = 'Communigate';
444							}
445							# Microsoft Exchange (complete with syntax error)
446							elsif (/ with Microsoft Exchange Server HTTP-DAV\b/) {
447	0					0	$auth = 'HTTP-DAV';
448							}
449							# froufrou mailers like United Internet use a '(via HTTP)' comment, Bug 7101
450							elsif (/ by / && / $via (HTTP.?)$(?: \|;\|$)/i) {
451	1					4	$auth = $1;
452							}
453
454							# ---------------------------------------------------------------------------
455
456	213	100				1040	if (s/^from //) {
		100
		50
457							# try to catch enveloper senders
458	206	100				1857	if (/(?:return-path:? \|envelope-(?:sender\|from)[ =])(\S+)\b/i) {
459	6					18	$envfrom = $1;
460							}
461
462							# from 142.169.110.122 (SquirrelMail authenticated user synapse) by
463							# mail.nomis80.org with HTTP; Sat, 3 Apr 2004 10:33:43 -0500 (EST)
464							# Expanded to NaSMail Bug 6783
465	206	100				589	if (/ \((?:SquirrelMail\|NaSMail) authenticated user /) {
466							#REVERTING bug 3236 and implementing re: bug 6549
467	3	50				362	if (/(${IP_ADDRESS})\b(?![.-]).{10,80}by (\S+) with HTTP/) {
468	3					11	$ip = $1; $by = $2; goto enough;
	3					7
	3					193
469							}
470							}
471
472							# AOL WebMail headers
473	203	50	66			1505	if (/aol\.com/ && /with HTTP $WebMailUI$/) {
474							# Received: from 82.135.198.129 by FWM-M18.sysops.aol.com (64.12.168.82) with HTTP (WebMailUI); Tue, 19 Jun 2007 11:16:54 -0400
475	0	0				0	if(/(${IP_ADDRESS}) by (\S+) $${IP_ADDRESS}$ with HTTP $WebMailUI$/) {
476	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
477							}
478							}
479
480							# catch MS-ish headers here
481	203	100				1765	if (/ SMTPSVC/) {
		100
		100
		100
		100
		100
		50
482							# MS servers using this fmt do not lookup the rDNS.
483							# Received: from inet-vrs-05.redmond.corp.microsoft.com ([157.54.6.157])
484							# by INET-IMC-05.redmond.corp.microsoft.com with Microsoft
485							# SMTPSVC(5.0.2195.6624); Thu, 6 Mar 2003 12:02:35 -0800
486							# Received: from 0 ([61.31.135.91]) by bass.bass.com.eg with Microsoft
487							# SMTPSVC(5.0.2195.6713); Tue, 21 Sep 2004 08:59:06 +0300
488							# Received: from 0 ([61.31.138.57] RDNS failed) by nccdi.com with
489							# Microsoft SMTPSVC(6.0.3790.0); Thu, 23 Sep 2004 08:51:06 -0700
490							# Received: from tthompson ([217.35.105.172] unverified) by
491							# mail.neosinteractive.com with Microsoft SMTPSVC(5.0.2195.5329);
492							# Tue, 11 Mar 2003 13:23:01 +0000
493							# Received: from ([172.16.1.78]) by email2.codeworksonline.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Sep 2006 21:14:29 -0400
494	7	100				577	if (/^(\S*) $\[(${IP_ADDRESS})\][^$]{0,40}\) by (\S+) with Microsoft SMTPSVC/) {
495	5					19	$helo = $1; $ip = $2; $by = $3; goto enough;
	5					11
	5					8
	5					306
496							}
497
498							# Received: from mail pickup service by mail1.insuranceiq.com with
499							# Microsoft SMTPSVC; Thu, 13 Feb 2003 19:05:39 -0500
500	2	100				13	if (/^mail pickup service by (\S+) with Microsoft SMTPSVC$/) {
501	1					8	return 0;
502							}
503							}
504
505							elsif (/\[XMail /) { # bug 3791, bug 4053
506							# Received: from list.brainbuzz.com (63.146.189.86:23198) by mx1.yourtech.net with [XMail 1.20 ESMTP Server] id <S72E> for <jason@ellingson.org.spamassassin.org> from <bounce-cscommunity-11965901@list.cramsession.com.spamassassin.org>; Sat, 18 Sep 2004 23:17:54 -0500
507							# Received: from list.brainbuzz.com (63.146.189.86:23198) by mx1.yourtech.net (209.32.147.34:25) with [XMail 1.20 ESMTP Server] id <S72E> for <jason@ellingson.org.spamassassin.org> from <bounce-cscommunity-11965901@list.cramsession.com.spamassassin.org>; Sat, 18 Sep 2004 23:17:54 -0500
508	2	50				261	if (/^(\S+) $(\[?${IP_ADDRESS}\]?)(?::\d+)$ by (\S+)(?: $\S+$)? with \[XMail/)
509							{
510	2					6	$helo = $1; $ip = $2; $by = $3;
	2					5
	2					3
511	2	50				12	/ id <(\S+)>/ and $id = $1;
512	2	50				11	/ from <(\S+)>/ and $envfrom = $1;
513	2					144	goto enough;
514							}
515							}
516
517							# from ([10.225.209.19:33672]) by ecelerity-va-1 (ecelerity HEAD) with SMTP id EE/20-30863-33CE1054; Fri, 08 Sep 2006 18:18:27 -0400
518							# from ([127.0.0.1:32923]) by bm1-21.ed10.com (ecelerity 2.1.1ea r(11031M)) with ECSTREAM id 8B/57-16227-3764EB44 for <example@vandinter.org>; Wed, 19 Jul 2006 10:49:23 -0400
519							# from ([192.168.1.151:49601] helo=dev1.democracyinaction.org) by m12.prod.democracyinaction.com (ecelerity 2.1.1.3 r(11743)) with ESMTP id 52/92-02454-89FBA054 for <example@vandinter.org>; Fri, 15 Sep 2006 10:58:32 -0400
520							elsif (/\(ecelerity\b/) {
521	3	100				250	if (/^$\[(${IP_ADDRESS}):\d+\] helo=(\S+)$ by (\S+) /) {
522	2					7	$ip = $1; $helo = $2; $by = $3;
	2					6
	2					3
523	2					128	goto enough;
524							}
525
526	1	50				247	if (/^\S+ $\[(${IP_ADDRESS}):\d+\]$ by (\S+) /) {
527	1					5	$ip = $1; $by = $2;
	1					3
528	1					65	goto enough;
529							}
530							}
531
532							elsif (/Exim/) {
533							# one of the HUGE number of Exim formats :(
534							# This must be scriptable. (update: it is. cf bug 3950, 3582)
535							# mss 2004-09-27: See <http://www.exim.org/exim-html-4.40/doc/html/spec_14.html#IX1315>
536
537							# from root (helo=candygram.thunk.org) by thunker.thunk.org with local-esmtps (tls_cipher TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50 #1 (Debian)) id 1FwHqR-0008Bw-OG; Fri, 30 Jun 2006 08:11:35 -0400
538							# from root (helo=localhost) by broadcast.iac.iafrica.com with local-bsmtp (Exim 4.30; FreeBSD) id 1GN22d-0000xp-2K for example@vandinter.org; Tue, 12 Sep 2006 08:46:43 +0200
539							# from smarter (helo=localhost) by mx1-out.lists.smarterliving.com with local-bsmtp (Exim 4.24) id 1GIRA2-0007IZ-4n for example@vandinter.org; Wed, 30 Aug 2006 10:35:22 -0400
540							# Received: from andrew by trinity.supernews.net with local (Exim 4.12) id 18xeL6-000Dn1-00; Tue, 25 Mar 2003 02:39:00 +0000
541	11	50				33	if (/\bwith local(?:-\S+)? /) { return 0; }
	0					0
542
543							# Received: from [61.174.163.26] (helo=host) by sc8-sf-list1.sourceforge.net with smtp (Exim 3.31-VA-mm2 #1 (Debian)) id 18t2z0-0001NX-00 for <razor-users@lists.sourceforge.net>; Wed, 12 Mar 2003 01:57:10 -0800
544							# Received: from [218.19.142.229] (helo=hotmail.com ident=yiuhyotp) by yzordderrex with smtp (Exim 3.35 #1 (Debian)) id 194BE5-0005Zh-00; Sat, 12 Apr 2003 03:58:53 +0100
545	11	100				314	if (/^\[(${IP_ADDRESS})\] $(.*?)$ by (\S+) /) {
546	1					4	$ip = $1; my $sub = $2; $by = $3;
	1					3
	1					2
547	1	50				4	$sub =~ s/helo=(\S+)// and $helo = $1;
548	1	50				4	$sub =~ s/ident=(\S*)// and $ident = $1;
549	1					68	goto enough;
550							}
551
552							# Received: from sc8-sf-list1-b.sourceforge.net ([10.3.1.13] helo=sc8-sf-list1.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian)) id 18t301-0007Bh-00; Wed, 12 Mar 2003 01:58:13 -0800
553							# Received: from dsl092-072-213.bos1.dsl.speakeasy.net ([66.92.72.213] helo=blazing.arsecandle.org) by sc8-sf-list1.sourceforge.net with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 3.31-VA-mm2 #1 (Debian)) id 18lyuU-0007TI-00 for <SpamAssassin-talk@lists.sourceforge.net>; Thu, 20 Feb 2003 14:11:18 -0800
554							# Received: from eclectic.kluge.net ([66.92.69.221] ident=[W9VcNxE2vKxgWHD05PJbLzIHSxcmZQ/O]) by sc8-sf-list1.sourceforge.net with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 3.31-VA-mm2 #1 (Debian)) id 18m0hT-00031I-00 for <spamassassin-talk@lists.sourceforge.net>; Thu, 20 Feb 2003 16:06:00 -0800
555							# Received: from mail.ssccbelen.edu.pe ([216.244.149.154]) by yzordderrex
556							# with esmtp (Exim 3.35 #1 (Debian)) id 18tqiz-000702-00 for
557							# <jm@example.com>; Fri, 14 Mar 2003 15:03:57 +0000
558							# Received: from server040.webpack.hosteurope.de ([80.237.130.48]:52313)
559							# by vps832469583.serverpool.info with esmtps
560							# (TLS-1.0:DHE_RSA_3DES_EDE_CBC_SHA:24) (Exim 4.50) id 1GzVLs-0002Oz-7b...
561	10	100				313	if (/^(\S+) $\[(${IP_ADDRESS})\](.*?)$ by (\S+) /) {
562	7					19	$rdns=$1; $ip = $2; my $sub = $3; $by = $4;
	7					12
	7					13
	7					13
563	7					11	$helo=$rdns; # default, apparently: bug 5112
564	7	100				30	$sub =~ s/helo=(\S+)// and $helo = $1;
565	7	50				17	$sub =~ s/ident=(\S*)// and $ident = $1;
566	7					445	goto enough;
567							}
568
569							# Received: from boggle.ihug.co.nz [203.109.252.209] by grunt6.ihug.co.nz
570							# with esmtp (Exim 3.35 #1 (Debian)) id 18SWRe-0006X6-00; Sun, 29 Dec
571							# 2002 18:57:06 +1300
572	3	50				232	if (/^(\S+) \[(${IP_ADDRESS})\](:\d+)? by (\S+) /) {
573	0					0	$rdns= $1; $ip = $2; $helo = $1; $by = $4; goto enough;
	0					0
	0					0
	0					0
	0					0
574							}
575
576							# attempt to deal with other odd Exim formats; just match little bits
577							# of the header.
578							# Received: from helene8.i.pinwand.net (helene.cats.ms) [10.0.8.6.13219]
579							# (mail) by lisbeth.i.pinwand.net with esmtp (Exim 3.35 #1 (Debian)) id
580							# 1CO5y7-0001vC-00; Sun, 31 Oct 2004 04:01:23 +0100
581	3	50				15	if (/^(\S+) /) {
582	3					10	$rdns= $1; # assume this is the rDNS, not HELO. is this appropriate?
583							}
584	3	100				13	if (/ $(\S+)$ /) {
585	2					4	$helo = $1;
586							}
587	3	100				225	if (/ \[(${IP_ADDRESS})(?:\.\d+)?\] /) {
588	1					3	$ip = $1;
589							}
590	3	50				21	if (/by (\S+) /) {
591	3					8	$by = $1;
592							# now, if we have a "by" and an IP, that's enough for most uses;
593							# we have to make do with that.
594	3	100				8	if ($ip) { goto enough; }
	1					64
595							}
596
597							# else it's probably forged. fall through
598							}
599
600							elsif (/ $Postfix$ with/) {
601							# Received: from localhost (unknown [127.0.0.1])
602							# by cabbage.jmason.org (Postfix) with ESMTP id A96E18BD97
603							# for <jm@localhost>; Thu, 13 Mar 2003 15:23:15 -0500 (EST)
604	20	100				1222	if ( /^(\S+) $(\S+) \[(${IP_ADDRESS})\]$ by (\S+) / ) {
605	17					43	$mta_looked_up_dns = 1;
606	17					51	$helo = $1; $rdns = $2; $ip = $3; $by = $4;
	17					37
	17					42
	17					68
607	17	100				73	if ($rdns eq 'unknown') { $rdns = ''; }
	4					7
608	17					1944	goto enough;
609							}
610
611							# Received: from 207.8.214.3 (unknown[211.94.164.65])
612							# by puzzle.pobox.com (Postfix) with SMTP id 9029AFB732;
613							# Sat, 8 Nov 2003 17:57:46 -0500 (EST)
614							# (Pobox.com version: reported in bug 2745)
615	3	50				279	if ( /^(\S+) $(\S+)\[(${IP_ADDRESS})\]$ by (\S+) / ) {
616	0					0	$mta_looked_up_dns = 1;
617	0					0	$helo = $1; $rdns = $2; $ip = $3; $by = $4;
	0					0
	0					0
	0					0
618	0	0				0	if ($rdns eq 'unknown') { $rdns = ''; }
	0					0
619	0					0	goto enough;
620							}
621							}
622
623							elsif (/\(Scalix SMTP Relay/) {
624							# from DPLAPTOP ( 72.242.176.162) by mail.puryear-it.com (Scalix SMTP Relay 10.0.1.3) via ESMTP; Fri, 23 Jun 2006 16:39:47 -0500 (CDT)
625	1	50				242	if (/^(\S+) $ ?(${IP_ADDRESS})$ by (\S+)/) {
626	1					4	$helo = $1; $ip = $2; $by = $3; goto enough;
	1					3
	1					2
	1					71
627							}
628							}
629
630							elsif (/ \(Lotus Domino /) {
631							# it seems Domino never records the rDNS: bug 5926
632	0	0				0	if (/^(\S+) $\[(${IP_ADDRESS})\]$ by (\S+) \(Lotus/) {
633	0					0	$mta_looked_up_dns = 0;
634	0					0	$helo = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
635							}
636							}
637
638							# Received: from 217.137.58.28 ([217.137.58.28])
639							# by webmail.ukonline.net (IMP) with HTTP
640							# for <anarchyintheuk@localhost>; Sun, 11 Apr 2004 00:31:07 +0100
641	165	50	66			1029	if (/\bwith HTTP\b/ && # more efficient split up this way
642							/^(${IP_ADDRESS}) $\[${IP_ADDRESS}\]$ by (\S+)/)
643							{
644							# some smarty-pants decided to fake a numeric HELO for HTTP
645							# no rDNS for this format?
646	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
647							}
648
649							# MiB: 2003/11/29 Some qmail-ldap headers may be misinterpreted as sendmail-headers
650							# resulting in a messed-up interpretation. We have to skip sendmail tests
651							# if we find evidence that this is a qmail-ldap header.
652							#
653	165	100				433	unless (/ by \S+ $qmail-\S+$ with /) {
654							#
655							# sendmail:
656							# Received: from mail1.insuranceiq.com (host66.insuranceiq.com [65.217.159.66] (may be forged)) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id h2F0c2x31856 for <jm@jmason.org>; Sat, 15 Mar 2003 00:38:03 GMT
657							# Received: from BAY0-HMR08.adinternal.hotmail.com (bay0-hmr08.bay0.hotmail.com [65.54.241.207]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id h2DBpvs24047 for <webmaster@efi.ie>; Thu, 13 Mar 2003 11:51:57 GMT
658							# Received: from ran-out.mx.develooper.com (IDENT:qmailr@one.develooper.com [64.81.84.115]) by dogma.slashnull.org (8.11.6/8.11.6) with SMTP id h381Vvf19860 for <jm-cpan@jmason.org>; Tue, 8 Apr 2003 02:31:57 +0100
659							# from rev.net (natpool62.rev.net [63.148.93.62] (may be forged)) (authenticated) by mail.rev.net (8.11.4/8.11.4) with ESMTP id h0KKa7d32306 for <spamassassin-talk@lists.sourceforge.net>
660							#
661	164	100				2815	if (/^(\S+) $(\S+) \[(${IP_ADDRESS})\].*$ by (\S+) \(/) {
662	27					59	$mta_looked_up_dns = 1;
663	27					72	$helo = $1; $rdns = $2; $ip = $3; $by = $4;
	27					53
	27					46
	27					48
664	27	50				73	$rdns =~ s/^IDENT:([^\@]*)\@// and $ident = $1; # remove IDENT lookups
665	27	50				72	$rdns =~ s/^([^\@]*)\@// and $ident = $1; # remove IDENT lookups
666	27					1808	goto enough;
667							}
668							}
669
670							# ---------------------------------------------------------------------------
671
672							## OK, AT THIS POINT FORMATS GET A BIT NON-STANDARD
673
674							# Received: from ns.elcanto.co.kr (66.161.246.58 [66.161.246.58]) by
675							# mail.ssccbelen.edu.pe with SMTP (Microsoft Exchange Internet Mail Service
676							# Version 5.5.1960.3) id G69TW478; Thu, 13 Mar 2003 14:01:10 -0500
677	138	100				2082	if (/^(\S+) $(\S+) \[(${IP_ADDRESS})\]$ by (\S+) with \S+ \(/) {
678	2					7	$mta_looked_up_dns = 1;
679	2					6	$rdns = $2; $ip = $3; $helo = $1; $by = $4; goto enough;
	2					4
	2					10
	2					4
	2					121
680							}
681
682							# from mail2.detr.gsi.gov.uk ([51.64.35.18] helo=ahvfw.dtlr.gsi.gov.uk) by mail4.gsi.gov.uk with smtp id 190K1R-0000me-00 for spamassassin-talk-admin@lists.sourceforge.net; Tue, 01 Apr 2003 12:33:46 +0100
683	136	50				1489	if (/^(\S+) $\[(${IP_ADDRESS})\] helo=(\S+)$ by (\S+) with /) {
684	0					0	$rdns = $1; $ip = $2; $helo = $3; $by = $4;
	0					0
	0					0
	0					0
685	0					0	goto enough;
686							}
687
688							# from 12-211-5-69.client.attbi.com (<unknown.domain>[12.211.5.69]) by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <2002112823351305300akl1ue>; Thu, 28 Nov 2002 23:35:13 +0000
689	136	50				1543	if (/^(\S+) $<unknown\S*>\[(${IP_ADDRESS})\]$ by (\S+) /) {
690	0					0	$helo = $1; $ip = $2; $by = $3;
	0					0
	0					0
691	0					0	goto enough;
692							}
693
694							# from attbi.com (h000502e08144.ne.client2.attbi.com[24.128.27.103]) by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <20030222193438053008f7tee>; Sat, 22 Feb 2003 19:34:39 +0000
695	136	50				1589	if (/^(\S+) $(\S+\.\S+)\[(${IP_ADDRESS})\]$ by (\S+) /) {
696	0					0	$mta_looked_up_dns = 1;
697	0					0	$helo = $1; $rdns = $2; $ip = $3; $by = $4;
	0					0
	0					0
	0					0
698	0					0	goto enough;
699							}
700
701
702							# Received: from 4wtgRl (kgbxn@[211.244.147.115]) by dogma.slashnull.org (8.11.6/8.11.6) with SMTP id h8BBsUJ18848; Thu, 11 Sep 2003 12:54:31 +0100
703	136	50				1675	if (/^(\S+) $(\S)\@\[(${IP_ADDRESS})\].$ by (\S+) \(/) {
704	0					0	$mta_looked_up_dns = 1; # this one does. there just wasn't one
705	0					0	$helo = $1; $ip = $3; $by = $4;
	0					0
	0					0
706	0					0	$ident = $2;
707	0					0	goto enough;
708							}
709
710							# Received: from 213.123.174.21 by lw11fd.law11.hotmail.msn.com with HTTP;
711							# Wed, 24 Jul 2002 16:36:44 GMT
712	136	100				423	if (/by (\S+\.hotmail\.msn\.com) /) {
713	1					5	$by = $1;
714	1	50				5	/^(\S+) / and $ip = $1;
715	1					76	goto enough;
716							}
717
718							# Received: from x71-x56-x24-5.webspeed.dk (HELO niels) (69.96.3.15) by la.mx.develooper.com (qpsmtpd/0.27-dev) with SMTP; Fri, 02 Jan 2004 19:26:52 -0800
719							# Received: from sc8-sf-sshgate.sourceforge.net (HELO sc8-sf-netmisc.sourceforge.net) (66.35.250.220) by la.mx.develooper.com (qpsmtpd/0.27-dev) with ESMTP; Fri, 02 Jan 2004 14:44:41 -0800
720							# Received: from mx10.topofferz.net (HELO ) (69.6.60.10) by blazing.arsecandle.org with SMTP; 3 Mar 2004 20:34:38 -0000
721	135	50				1526	if (/^(\S+) $(?:HELO\|EHLO) (\S*)$ $(${IP_ADDRESS})$ by (\S+) $qpsmtpd\/\S+$ with (?:ESMTP\|SMTP)/) {
722	0					0	$rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough;
	0					0
	0					0
	0					0
	0					0
723							}
724
725							# Received: from mail-backend.DDDD.com (LHLO mail-backend.DDDD.com) (10.2.2.20) by mail-backend.DDDD.com with LMTP; Thu, 18 Jun 2015 16:50:56 -0700 (PDT)
726	135	100				1528	if (/^(\S+) $LHLO (\S*)$ $(${IP_ADDRESS})$ by (\S+) with LMTP/) {
727	1					4	$rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough;
	1					3
	1					2
	1					3
	1					65
728							}
729
730							# from dslb-082-083-045-064.pools.arcor-ip.net (EHLO homepc) [82.83.45.64] by mail.gmx.net (mp010) with SMTP; 03 Feb 2007 13:13:47 +0100
731	134	100				1563	if (/^(\S+) $(?:HELO\|EHLO) (\S*)$ \[(${IP_ADDRESS})\] by (\S+) $[^$]+\) with (?:ESMTP\|SMTP)/) {
732	1					6	$rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough;
	1					2
	1					3
	1					2
	1					67
733							}
734
735							# MiB (Michel Bouissou, 2003/11/16)
736							# Moved some tests up because they might match on qmail tests, where this
737							# is not qmail
738							#
739							# Received: from imo-m01.mx.aol.com ([64.12.136.4]) by eagle.glenraven.com
740							# via smtpd (for [198.85.87.98]) with SMTP; Wed, 08 Oct 2003 16:25:37 -0400
741	133	50				1507	if (/^(\S+) $\[(${IP_ADDRESS})\]$ by (\S+) via smtpd $for \S+$ with SMTP\(/) {
742	0					0	$helo = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
743							}
744
745							# Try to match most of various qmail possibilities
746							#
747							# General format:
748							# Received: from postfix3-2.free.fr (HELO machine.domain.com) (foobar@213.228.0.169) by totor.bouissou.net with SMTP; 14 Nov 2003 08:05:50 -0000
749							#
750							# "from (remote.rDNS\|unknown)" is always there
751							# "(HELO machine.domain.com)" is there only if HELO differs from remote rDNS.
752							# HELO may be "" -- ie no string. "HELO" may also be "EHLO". HELO string
753							# may be an IP in fmt [1.2.3.4] -- do not strip [ and ], they are important.
754							# "foobar@" is remote IDENT info, specified only if ident given by remote
755							# Remote IP always appears between (parentheses), with or without IDENT@
756							# "by local.system.domain.com" always appears
757							#
758							# Protocol can be different from "SMTP", i.e. "RC4-SHA encrypted SMTP" or "QMQP"
759							# qmail's reported protocol shouldn't be "ESMTP", so by allowing only "with (.* )(SMTP\|QMQP)"
760							# we should avoid matching on some sendmailish Received: lines that reports remote IP
761							# between ([218.0.185.24]) like qmail-ldap does, but use "with ESMTP".
762							#
763							# Normally, qmail-smtpd remote IP isn't between square brackets [], but some versions of
764							# qmail-ldap seem to add square brackets around remote IP. These versions of qmail-ldap
765							# use a longer format that also states the (envelope-sender <sender@domain>) and the
766							# qmail-ldap version. Example:
767							# Received: from unknown (HELO terpsichore.farfalle.com) (jdavid@[216.254.40.70]) (envelope-sender <jdavid@farfalle.com>) by mail13.speakeasy.net (qmail-ldap-1.03) with SMTP for <jm@jmason.org>; 12 Feb 2003 18:23:19 -0000
768							#
769							# Some others of the numerous qmail patches out there can also add variants of their own
770							#
771							# Received: from 211.245.85.228 (EHLO ) (211.245.85.228) by mta232.mail.scd.yahoo.com with SMTP; Sun, 25 Jan 2004 00:24:37 -0800
772							#
773							# bug 4813: make sure that the line doesn't have " id " after the
774							# protocol since that's a sendmail line and not qmail ...
775	133	100				2508	if (/^\S+( $(?:HELO\|EHLO) \S$)? $(\S+\@)?\[?${IP_ADDRESS}\]?$( $envelope-sender <\S+>$)? by \S+( $.+$) with (.* )?(SMTP\|QMQP)(?! id )/ ) {
776	54	100				4031	if (/^(\S+) $(?:HELO\|EHLO) ([^ \($])\) $(\S)\@\[?(${IP_ADDRESS})\]?$( $envelope-sender <\S+>$)? by (\S+)/) {
		100
		100
		50
777	4					12	$rdns = $1; $helo = $2; $ident = $3; $ip = $4; $by = $6;
	4					9
	4					9
	4					8
	4					6
778							}
779							elsif (/^(\S+) $(?:HELO\|EHLO) ([^ \($]*)\) $\[?(${IP_ADDRESS})\]?$( $envelope-sender <\S+>$)? by (\S+)/) {
780	7					24	$rdns = $1; $helo = $2; $ip = $3; $by = $5;
	7					16
	7					12
	7					14
781							}
782							elsif (/^(\S+) $(\S*)\@\[?(${IP_ADDRESS})\]?$( $envelope-sender <\S+>$)? by (\S+)/) {
783							# note: absence of HELO means that it matched rDNS in qmail-land
784	4					15	$helo = $rdns = $1; $ident = $2; $ip = $3; $by = $5;
	4					7
	4					10
	4					10
785							}
786							elsif (/^(\S+) $\[?(${IP_ADDRESS})\]?$( $envelope-sender <\S+>$)? by (\S+)/) {
787	39					186	$helo = $rdns = $1; $ip = $2; $by = $4;
	39					128
	39					93
788							}
789							# qmail doesn't perform rDNS requests by itself, but is usually called
790							# by tcpserver or a similar daemon that passes rDNS information to qmail-smtpd.
791							# If qmail puts something else than "unknown" in the rDNS field, it means that
792							# it received this information from the daemon that called it. If qmail-smtpd
793							# writes "Received: from unknown", it means that either the remote has no
794							# rDNS, or qmail was called by a daemon that didn't gave the rDNS information.
795	54	100				179	if ($rdns ne "unknown") {
796	49					73	$mta_looked_up_dns = 1;
797							} else {
798	5					7	$rdns = '';
799							}
800	54					6916	goto enough;
801
802							}
803							# /MiB
804
805							# Received: from [193.220.176.134] by web40310.mail.yahoo.com via HTTP;
806							# Wed, 12 Feb 2003 14:22:21 PST
807	79	50	33			260	if (/ via HTTP$/&&/^\[(${IP_ADDRESS})\] by (\S+) via HTTP$/) {
808	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
809							}
810
811							# Received: from 192.168.5.158 ( [192.168.5.158]) as user jason@localhost by mail.reusch.net with HTTP; Mon, 8 Jul 2002 23:24:56 -0400
812	79	50				1031	if (/^(\S+) $ \[(${IP_ADDRESS})\]$.*? by (\S+) /) {
813							# TODO: is $1 helo?
814	0					0	$ip = $2; $by = $3; goto enough;
	0					0
	0					0
815							}
816
817							# Received: from (64.52.135.194 [64.52.135.194]) by mail.unearthed.com with ESMTP id BQB0hUH2 Thu, 20 Feb 2003 16:13:20 -0700 (PST)
818	79	50				1101	if (/^$(\S+) \[(${IP_ADDRESS})\]$ by (\S+) /) {
819	0					0	$helo = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
820							}
821
822							# Received: from [65.167.180.251] by relent.cedata.com (MessageWall 1.1.0) with SMTP; 20 Feb 2003 23:57:15 -0000
823	79	100				1067	if (/^\[(${IP_ADDRESS})\] by (\S+) /) {
824	1					4	$ip = $1; $by = $2; goto enough;
	1					3
	1					64
825							}
826
827							# from ([172.16.1.78]) by email2.codeworksonline.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Sep 2006 21:14:29 -0400
828							# from (130.215.36.186) by mcafee.wpi.edu via smtp id 021b_7e19a55a_ea7e_11da_83a9_00304811e63a; Tue, 23 May 2006 13:06:35 -0400
829							# from ([172.21.2.10]) by out-relay4.mtahq.org with ESMTP id 4420961.8281; Tue, 22 Aug 2006 17:53:08 -0400
830	78	100				1068	if (/^$\[?(${IP_ADDRESS})\]?$ by (\S+) /) {
831	4					15	$ip = $1; $by = $2; goto enough;
	4					9
	4					275
832							}
833
834							# Received: from acecomms [202.83.84.95] by mailscan.acenet.net.au [202.83.84.27] with SMTP (MDaemon.PRO.v5.0.6.R) for <spamassassin-talk@lists.sourceforge.net>; Fri, 21 Feb 2003 09:32:27 +1000
835	74	50				1066	if (/^(\S+) \[(${IP_ADDRESS})\] by (\S+) \[(\S+)\] with /) {
836	0					0	$mta_looked_up_dns = 1;
837	0					0	$helo = $1; $ip = $2;
	0					0
838	0					0	$by = $4; # use the IP addr for "by", more useful?
839	0					0	goto enough;
840							}
841
842							# Received: from mail.sxptt.zj.cn ([218.0.185.24]) by dogma.slashnull.org
843							# (8.11.6/8.11.6) with ESMTP id h2FH0Zx11330 for <webmaster@efi.ie>;
844							# Sat, 15 Mar 2003 17:00:41 GMT
845	74	100				1401	if (/^(\S+) $\[(${IP_ADDRESS})\]$ by (\S+) \(/) { # sendmail
846	4					11	$mta_looked_up_dns = 1;
847	4					9	$helo = $1; $ip = $2; $by = $3; goto enough;
	4					10
	4					9
	4					244
848							}
849
850							# Received: from umr-mail7.umr.edu (umr-mail7.umr.edu [131.151.1.64]) via ESMTP by mrelay1.cc.umr.edu (8.12.1/) id h06GHYLZ022481; Mon, 6 Jan 2003 10:17:34 -0600
851							# Received: from Agni (localhost [::ffff:127.0.0.1]) (TLS: TLSv1/SSLv3, 168bits,DES-CBC3-SHA) by agni.forevermore.net with esmtp; Mon, 28 Oct 2002 14:48:52 -0800
852							# Received: from gandalf ([4.37.75.131]) (authenticated bits=0) by herald.cc.purdue.edu (8.12.5/8.12.5/herald) with ESMTP id g9JLefrm028228 for <spamassassin-talk@lists.sourceforge.net>; Sat, 19 Oct 2002 16:40:41 -0500 (EST)
853							# Received: from bushinternet.com (softdnserr [::ffff:61.99.99.67]) by mail.cs.helsinki.fi with esmtp; Fri, 22 Aug 2003 12:25:41 +0300
854	70	100				1113	if (/^(\S+) $(\S+) \[(${IP_ADDRESS})\]$.*? by (\S+)\b/) { # sendmail
855	4	100				17	if ($2 eq 'softdnserr') {
856	1					3	$mta_looked_up_dns = 0; # bug 2326: couriertcpd
857							} else {
858	3					7	$mta_looked_up_dns = 1; $rdns = $2;
	3					6
859							}
860	4					7	$helo = $1; $ip = $3; $by = $4; goto enough;
	4					8
	4					8
	4					262
861							}
862
863							# from jsoliday.acs.internap.com ([63.251.66.24.63559]) by
864							# mailhost.acs.internap.com with esmtp (v3.35.1) id 1GNrLz-000295-00;
865							# Thu, 14 Sep 2006 09:34:07 -0400
866	66	100				1166	if (/^(\S+) $\[(${IP_ADDRESS})(?:[.:]\d+)?\]$.*? by (\S+) /) {
867	6					9	$mta_looked_up_dns = 1;
868	6					16	$helo = $1; $ip = $2; $by = $3; goto enough;
	6					13
	6					11
	6					394
869							}
870
871							# Received: from roissy (p573.as1.exs.dublin.eircom.net [159.134.226.61])
872							# (authenticated bits=0) by slate.dublin.wbtsystems.com (8.12.6/8.12.6)
873							# with ESMTP id g9MFWcvb068860 for <jm@jmason.org>;
874							# Tue, 22 Oct 2002 16:32:39 +0100 (IST)
875	60	50				1014	if (/^(\S+) $(\S+) \[(${IP_ADDRESS})\]$(?: $authenticated bits=\d+$)? by (\S+) \(/) { # sendmail
876	0					0	$mta_looked_up_dns = 1;
877	0					0	$helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough;
	0					0
	0					0
	0					0
	0					0
878							}
879
880							# Identify fetch-from-server incidents:
881							# Fetchmail:
882							# Received: from cabbage.jmason.org [127.0.0.1]
883							# by localhost with IMAP (fetchmail-5.9.0)
884							# for jm@localhost (single-drop); Thu, 13 Mar 2003 20:39:56 -0800 (PST)
885							#
886							# Getmail:
887							# Received: from pop3.mail.dk (195.41.46.251) by loki.valhalla with POP3;
888							# 14 Apr 2010 11:14:29 -0000
889							#
890	60	100				213	if (/with (?:POP3\|IMAP)/) {
891	4					22	$self->found_pop_fetcher_sig();
892	4					32	return 0; # skip mail fetcher handovers
893							}
894
895							# Let's try to support a few qmailish formats in one;
896							# http://issues.apache.org/SpamAssassin/show_bug.cgi?id=2744#c14 :
897							# Received: from unknown (HELO feux01a-isp) (213.199.4.210) by totor.bouissou.net with SMTP; 1 Nov 2003 07:05:19 -0000
898							# Received: from adsl-207-213-27-129.dsl.lsan03.pacbell.net (HELO merlin.net.au) (Owner50@207.213.27.129) by totor.bouissou.net with SMTP; 10 Nov 2003 06:30:34 -0000
899	56	100				860	if (/^(\S+) $(?:HELO\|EHLO) ([^$])\) $(\S@)?\[?(${IP_ADDRESS})\]?$.* by (\S+) /)
900							{
901	1					3	$mta_looked_up_dns = 1;
902	1					3	$rdns = $1;
903	1					4	$helo = $2;
904	1	50				4	$ident = (defined $3) ? $3 : '';
905	1					3	$ip = $4;
906	1					3	$by = $5;
907	1	50				2	if ($ident) {
908	1					5	$ident =~ s/\@$//;
909							}
910	1					66	goto enough;
911							}
912
913							# Received: from x1-6-00-04-bd-d2-e0-a3.k317.webspeed.dk (benelli@80.167.158.170) by totor.bouissou.net with SMTP; 5 Nov 2003 23:18:42 -0000
914	55	100				914	if (/^(\S+) $(\S@)?\[?(${IP_ADDRESS})\]?$. by (\S+) /)
915							{
916	4					9	$mta_looked_up_dns = 1;
917							# bug 2744 notes that if HELO == rDNS, qmail drops it.
918	4	50				10	$rdns = $1; $helo = $rdns; $ident = (defined $2) ? $2 : '';
	4					8
	4					12
919	4					7	$ip = $3; $by = $4;
	4					8
920	4	50				8	if ($ident) { $ident =~ s/\@$//; }
	0					0
921	4					263	goto enough;
922							}
923
924							# Received: from [129.24.215.125] by ws1-7.us4.outblaze.com with http for
925							# _bushisevil_@mail.com; Thu, 13 Feb 2003 15:59:28 -0500
926	51	50	33			164	if (/ with http for /&&/^\[(${IP_ADDRESS})\] by (\S+) with http for /) {
927	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
928							}
929
930							# Received: from snake.corp.yahoo.com(216.145.52.229) by x.x.org via smap (V1.3)
931							# id xma093673; Wed, 26 Mar 03 20:43:24 -0600
932	51	50	33			123	if (/ via smap /&&/^(\S+)$(${IP_ADDRESS})$ by (\S+) via smap /) {
933	0					0	$mta_looked_up_dns = 1;
934	0					0	$rdns = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
935							}
936
937							# Received: from smtp.greyware.com(208.14.208.51, HELO smtp.sff.net) by x.x.org via smap (V1.3)
938							# id xma002908; Fri, 27 Feb 04 14:16:56 -0800
939	51	50				735	if (/^(\S+)$(${IP_ADDRESS}), (?:HELO\|EHLO) (\S*)$ by (\S+) via smap /) {
940	0					0	$mta_looked_up_dns = 1;
941	0					0	$rdns = $1; $ip = $2; $helo = $3; $by = $4; goto enough;
	0					0
	0					0
	0					0
	0					0
942							}
943
944							# Received: from [192.168.0.71] by web01-nyc.clicvu.com (Post.Office MTA
945							# v3.5.3 release 223 ID# 0-64039U1000L100S0V35) with SMTP id com for
946							# <x@x.org>; Tue, 25 Mar 2003 11:42:04 -0500
947	51	50	33			156	if (/ \(Post/&&/^\[(${IP_ADDRESS})\] by (\S+) \(Post/) {
948	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
949							}
950
951							# Received: from [127.0.0.1] by euphoria (ArGoSoft Mail Server
952							# Freeware, Version 1.8 (1.8.2.5)); Sat, 8 Feb 2003 09:45:32 +0200
953	51	50	33			117	if (/ \(ArGoSoft/&&/^\[(${IP_ADDRESS})\] by (\S+) \(ArGoSoft/) {
954	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
955							}
956
957							# Received: from 157.54.8.23 by inet-vrs-05.redmond.corp.microsoft.com
958							# (InterScan E-Mail VirusWall NT); Thu, 06 Mar 2003 12:02:35 -0800
959							# Received: from 10.165.130.62 by CNNIMAIL12.CNN.COM (SMTPL release 1.0d) with TCP; Fri, 1 Sep 2006 20:28:14 -0400
960	51	100				1001	if (/^(${IP_ADDRESS}) by (\S+) \((?:SMTPL\|InterScan)\b/) {
961	1					5	$ip = $1; $by = $2; goto enough;
	1					3
	1					73
962							}
963
964							# Received: from faerber.muc.de by slarti.muc.de with BSMTP (rsmtp-qm-ot 0.4)
965							# for asrg@ietf.org; 7 Mar 2003 21:10:38 -0000
966	50	50	33			192	if (/ with BSMTP/&&/^\S+ by \S+ with BSMTP/) {
967	0					0	return 0; # BSMTP != a TCP/IP handover, ignore it
968							}
969
970							# Received: from spike (spike.ig.co.uk [193.32.60.32]) by mail.ig.co.uk with
971							# SMTP id h27CrCD03362 for <asrg@ietf.org>; Fri, 7 Mar 2003 12:53:12 GMT
972	50	50				758	if (/^(\S+) $(\S+) \[(${IP_ADDRESS})\]$ by (\S+) with /) {
973	0					0	$mta_looked_up_dns = 1;
974	0					0	$helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough;
	0					0
	0					0
	0					0
	0					0
975							}
976
977							# Received: from customer254-217.iplannetworks.net (HELO AGAMENON)
978							# (baldusi@200.69.254.217 with plain) by smtp.mail.vip.sc5.yahoo.com with
979							# SMTP; 11 Mar 2003 21:03:28 -0000
980	50	50				170	if (/^(\S+) $(?:HELO\|EHLO) (\S)$ $(\S+).?$ by (\S+) with /) {
981	0					0	$mta_looked_up_dns = 1;
982	0					0	$rdns = $1; $helo = $2; $ip = $3; $by = $4;
	0					0
	0					0
	0					0
983	0	0				0	$ip =~ s/([^\@]*)\@//g and $ident = $1; # remove IDENT lookups
984	0					0	goto enough;
985							}
986
987							# Received: from [192.168.1.104] (account nazgul HELO [192.168.1.104])
988							# by somewhere.com (CommuniGate Pro SMTP 3.5.7) with ESMTP-TLS id 2088434;
989							# Fri, 07 Mar 2003 13:05:06 -0500
990	50	100				796	if (/^\[(${IP_ADDRESS})\] $(?:account \S+ )?(?:HELO\|EHLO) (\S*)$ by (\S+) \(/) {
991	7					21	$ip = $1; $helo = $2; $by = $3; goto enough;
	7					13
	7					13
	7					456
992							}
993
994							# Received: from host.example.com ([192.0.2.1] verified)
995							# by mail.example.net (CommuniGate Pro SMTP 5.1.13)
996							# with ESMTP id 9786656 for user@example.net; Thu, 27 Mar 2008 15:08:17 +0600
997	43	100	100			464	if (/ $CommuniGate Pro/ && /^(\S+) \(\[(${IP_ADDRESS})\] verified$ by (\S+) \(/) {
998	4					7	$mta_looked_up_dns = 1;
999	4					12	$rdns = $1; $helo = $1; $ip = $2; $by = $3; goto enough;
	4					6
	4					7
	4					7
	4					270
1000							}
1001
1002							# Received: from ([10.0.0.6]) by mail0.ciphertrust.com with ESMTP ; Thu,
1003							# 13 Mar 2003 06:26:21 -0500 (EST)
1004	39	50				712	if (/^$\[(${IP_ADDRESS})\]$ by (\S+) with /) {
1005	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
1006							}
1007
1008							# Received: from ironport.com (10.1.1.5) by a50.ironport.com with ESMTP; 01 Apr 2003 12:00:51 -0800
1009							# Received: from dyn-81-166-39-132.ppp.tiscali.fr (81.166.39.132) by cpmail.dk.tiscali.com (6.7.018)
1010	39	50				721	if (/^([^\d]\S+) $(${IP_ADDRESS})$ by (\S+) /) {
1011	0					0	$helo = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
1012							}
1013
1014							# Received: from scv3.apple.com (scv3.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T61095998e1118164e13f8@mailgate2.apple.com>; Mon, 17 Mar 2003 17:04:54 -0800
1015							# bug 4704: Only let this match Content Technologies so it stops breaking things that come after it by matching first
1016	39	50				98	if (/^\S+ $\S+$ by \S+ \(Content Technologies /) {
1017	0					0	return 0; # useless without the $ip anyway!
1018							}
1019
1020							# Received: from 01al10015010057.ad.bls.com ([90.152.5.141] [90.152.5.141])
1021							# by aismtp3g.bls.com with ESMTP; Mon, 10 Mar 2003 11:10:41 -0500
1022	39	50				91	if (/^(\S+) $\[(\S+)\] \[(\S+)\]$ by (\S+) with /) {
1023							# not sure what $3 is ;)
1024	0					0	$helo = $1; $ip = $2; $by = $4;
	0					0
	0					0
1025	0					0	goto enough;
1026							}
1027
1028							# Received: from 206.47.0.153 by dm3cn8.bell.ca with ESMTP (Tumbleweed MMS
1029							# SMTP Relay (MMS v5.0)); Mon, 24 Mar 2003 19:49:48 -0500
1030	39	100				840	if (/^(${IP_ADDRESS}) by (\S+) with /) {
1031	1					5	$ip = $1; $by = $2;
	1					4
1032	1					68	goto enough;
1033							}
1034
1035							# Received: from pobox.com (h005018086b3b.ne.client2.attbi.com[66.31.45.164])
1036							# by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <2003031302165605300suph7e>;
1037							# Thu, 13 Mar 2003 02:16:56 +0000
1038	38	50				725	if (/^(\S+) $(\S+)\[(${IP_ADDRESS})\]$ by (\S+) /) {
1039	0					0	$mta_looked_up_dns = 1;
1040	0					0	$helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough;
	0					0
	0					0
	0					0
	0					0
1041							}
1042
1043							# Received: from [10.128.128.81]:50999 (HELO dfintra.f-secure.com) by fsav4im2 ([10.128.128.74]:25) (F-Secure Anti-Virus for Internet Mail 6.0.34 Release) with SMTP; Tue, 5 Mar 2002 14:11:53 -0000
1044	38	50				784	if (/^\[(${IP_ADDRESS})\]\S+ $(?:HELO\|EHLO) (\S*)$ by (\S+) /) {
1045	0					0	$ip = $1; $helo = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
1046							}
1047
1048							# Received: from 62.180.7.250 (HELO daisy) by smtp.altavista.de (209.228.22.152) with SMTP; 19 Sep 2002 17:03:17 +0000
1049	38	50				801	if (/^(${IP_ADDRESS}) $(?:HELO\|EHLO) (\S*)$ by (\S+) /) {
1050	0					0	$ip = $1; $helo = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
1051							}
1052
1053							# Received: from oemcomputer [63.232.189.195] by highstream.net (SMTPD32-7.07) id A4CE7F2A0028; Sat, 01 Feb 2003 21:39:10 -0500
1054	38	50				672	if (/^(\S+) \[(${IP_ADDRESS})\] by (\S+) /) {
1055	0					0	$helo = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
1056							}
1057
1058							# from nodnsquery(192.100.64.12) by herbivore.monmouth.edu via csmap (V4.1) id srcAAAyHaywy
1059	38	50				723	if (/^(\S+)$(${IP_ADDRESS})$ by (\S+) /) {
1060	0					0	$rdns = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
1061							}
1062
1063							# Received: from [192.168.0.13] by <server> (MailGate 3.5.172) with SMTP;
1064							# Tue, 1 Apr 2003 15:04:55 +0100
1065	38	50				721	if (/^\[(${IP_ADDRESS})\] by (\S+) \(MailGate /) {
1066	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
1067							}
1068
1069							# Received: from jmason.org (unverified [195.218.107.131]) by ni-mail1.dna.utvinternet.net <B0014212518@ni-mail1.dna.utvinternet.net>; Tue, 11 Feb 2003 12:18:12 +0000
1070	38	50				704	if (/^(\S+) $unverified \[(${IP_ADDRESS})\]$ by (\S+) /) {
1071	0					0	$helo = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
1072							}
1073
1074							# # from 165.228.131.11 (proxying for 139.130.20.189) (SquirrelMail authenticated user jmmail) by jmason.org with HTTP
1075							# if (/^from (\S+) $proxying for (${IP_ADDRESS})$ $[A-Za-z][^$]+\) by (\S+) with /) {
1076							# $ip = $2; $by = $3; goto enough;
1077							# }
1078	38	50				883	if (/^(${IP_ADDRESS}) $[A-Za-z][^$]+\) by (\S+) with /) {
1079	0					0	$ip = $1; $by = $2; goto enough;
	0					0
	0					0
1080							}
1081
1082							# Received: from [212.87.144.30] (account seiz [212.87.144.30] verified) by x.imd.net (CommuniGate Pro SMTP 4.0.3) with ESMTP-TLS id 5026665 for spamassassin-talk@lists.sourceforge.net; Wed, 15 Jan 2003 16:27:05 +0100
1083							# bug 4704 This pattern was checked as just an Exim format, but it does exist elsewhere
1084							# Received: from [206.51.230.145] (helo=t-online.de)
1085							# by mxeu2.kundenserver.de with ESMTP (Nemesis),
1086							# id 0MKpdM-1CkRpr14PF-000608; Fri, 31 Dec 2004 19:49:15 +0100
1087							# Received: from [218.19.142.229] (helo=hotmail.com ident=yiuhyotp)
1088							# by yzordderrex with smtp (Exim 3.35 #1 (Debian)) id 194BE5-0005Zh-00; Sat, 12 Apr 2003 03:58:53 +0100
1089	38	100				741	if (/^\[(${IP_ADDRESS})\] $([^$]+)\) by (\S+) /) {
1090	3					11	$ip = $1; my $sub = $2; $by = $3;
	3					6
	3					6
1091	3	100				12	$sub =~ s/helo=(\S+)// and $helo = $1;
1092	3	50				8	$sub =~ s/ident=(\S*)// and $ident = $1;
1093	3					206	goto enough;
1094							}
1095
1096							# Received: from mtsbp606.email-info.net (?dXqpg3b0hiH9faI2OxLT94P/YKDD3rQ1?@64.253.199.166) by kde.informatik.uni-kl.de with SMTP; 30 Apr 2003 15:06:29
1097	35	50				779	if (/^(\S+) $(?:\S+\@)?(${IP_ADDRESS})$ by (\S+) with /) {
1098	0					0	$rdns = $1; $ip = $2; $by = $3; goto enough;
	0					0
	0					0
	0					0
1099							}
1100
1101							# Obtuse smtpd: http://www.obtuse.com/
1102							# Received: from TCE-E-7-182-54.bta.net.cn(202.106.182.54) via SMTP
1103							# by st.tahina.priv.at, id smtpdEDUB8h; Sun Nov 13 14:50:12 2005
1104							# Received: from pl027.nas934.d-osaka.nttpc.ne.jp(61.197.82.27), claiming to be "foo.woas.net" via SMTP
1105							# by st.tahina.priv.at, id smtpd1PBsZT; Sun Nov 13 15:38:52 2005
1106	35	100				757	if (/^(\S+)$(${IP_ADDRESS})$(?:, claiming to be "(\S+)")? via \S+ by (\S+),/) {
1107	2	100				9	$rdns = $1; $ip = $2; $helo = (defined $3) ? $3 : ''; $by = $4;
	2					4
	2					8
	2					4
1108	2	50				341	if ($1 ne 'UNKNOWN') {
1109	2					7	$mta_looked_up_dns = 1;
1110	2					6	$rdns = $1;
1111							}
1112	2					141	goto enough;
1113							}
1114
1115							# Yahoo Authenticated SMTP; Bug #6535
1116							# from itrqtnlnq (lucilleskinner@93.124.107.183 with login) by smtp111.mail.ne1.yahoo.com with SMTP; 17 Jan 2011 08:23:27 -0800 PST
1117	33	50				713	if (/^(\S+) $(\S+)@(${IP_ADDRESS}) with login$ by (\S+\.yahoo\.com) with SMTP/) {
1118	0					0	$helo = $1; $ip = $3; $by = $4; goto enough;
	0					0
	0					0
	0					0
1119							}
1120
1121							# a synthetic header, generated internally:
1122							# Received: X-Originating-IP: 1.2.3.4
1123	33	100				108	if (/^X-Originating-IP: (\S+)$/) {
1124	4					15	$ip = $1; $by = ''; goto enough;
	4					9
	4					301
1125							}
1126
1127							## STUFF TO IGNORE ##
1128
1129							# Received: from raptor.research.att.com (bala@localhost) by
1130							# raptor.research.att.com (SGI-8.9.3/8.8.7) with ESMTP id KAA14788
1131							# for <asrg@example.com>; Fri, 7 Mar 2003 10:37:56 -0500 (EST)
1132							# make this localhost-specific, so we know it's safe to ignore
1133	29	100				262	if (/^\S+ $[^\s\@]+\@${LOCALHOST}$ by \S+ \(/) { return 0; }
	1					13
1134
1135							# from paul (helo=felix) by felix.peema.org with local-esmtp (Exim 4.43)
1136							# id 1Ccq0j-0002k2-Lk; Fri, 10 Dec 2004 19:01:01 +0000
1137							# Exim doco says this is local submission, cf switch -oMr
1138	28	50				64	if (/^\S+ \S+ by \S+ with local-e?smtp /) { return 0; }
	0					0
1139
1140							# from 127.0.0.1 (AVG SMTP 7.0.299 [265.6.8]); Wed, 05 Jan 2005 15:06:48 -0800
1141	28	50				52	if (/^127\.0\.0\.1 $AVG SMTP \S+ \[\S+\]$/) { return 0; }
	0					0
1142
1143							# from qmail-scanner-general-admin@lists.sourceforge.net by alpha by uid 7791 with qmail-scanner-1.14 (spamassassin: 2.41. Clear:SA:0(-4.1/5.0):. Processed in 0.209512 secs)
1144	28	100				60	if (/^\S+\@\S+ by \S+ by uid \S+ /) { return 0; }
	1					14
1145
1146							# Received: from DSmith1204@aol.com by imo-m09.mx.aol.com (mail_out_v34.13.) id 7.53.208064a0 (4394); Sat, 11 Jan 2003 23:24:31 -0500 (EST)
1147	27	100				81	if (/^\S+\@\S+ by \S+ /) { return 0; }
	1					16
1148
1149							# Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Fri, 17 Jan 2003 15:23:29 -0000
1150	26	50				49	if (/^Unknown\/Local \(/) { return 0; }
	0					0
1151
1152							# Received: from localhost (mailnull@localhost) by x.org (8.12.6/8.9.3)
1153							# with SMTP id h2R2iivG093740; Wed, 26 Mar 2003 20:44:44 -0600
1154							# (CST) (envelope-from x@x.org)
1155							# Received: from localhost (localhost [127.0.0.1]) (uid 500) by mail with local; Tue, 07 Jan 2003 11:40:47 -0600
1156	26	50				439	if (/^${LOCALHOST} $(?:\S+\@)?${LOCALHOST}[$\[]/) { return 0; }
	0					0
1157
1158							# Received: from olgisoft.com (127.0.0.1) by 127.0.0.1 (EzMTS MTSSmtp
1159							# 1.55d5) ; Thu, 20 Mar 03 10:06:43 +0100 for <asrg@ietf.org>
1160	26	50				255	if (/^\S+ $(?:\S+\@)?${LOCALHOST}$ /) { return 0; }
	0					0
1161
1162							# Received: from casper.ghostscript.com (raph@casper [127.0.0.1]) h148aux8016336verify=FAIL); Tue, 4 Feb 2003 00:36:56 -0800
1163	26	50				266	if (/^\S+ $\S+\@\S+ \[${LOCALHOST}\]$ /) { return 0; }
	0					0
1164
1165							# Received: from (AUTH: e40a9cea) by vqx.net with esmtp (courier-0.40) for <asrg@ietf.org>; Mon, 03 Mar 2003 14:49:28 +0000
1166	26	50				59	if (/^$AUTH: \S+$ by \S+ with /) { return 0; }
	0					0
1167
1168							# from localhost (localhost [[UNIX: localhost]]) by home.barryodonovan.com
1169							# (8.12.11/8.12.11/Submit) id iBADHRP6011034; Fri, 10 Dec 2004 13:17:27 GMT
1170	26	50				52	if (/^localhost $localhost \[\[UNIX: localhost\]\]$ by /) { return 0; }
	0					0
1171
1172							# Internal Amazon traffic
1173							# Received: from dc-mail-3102.iad3.amazon.com by mail-store-2001.amazon.com with ESMTP (peer crosscheck: dc-mail-3102.iad3.amazon.com)
1174	26	50				51	if (/^\S+\.amazon\.com by \S+\.amazon\.com with ESMTP \(peer crosscheck: /) { return 0; }
	0					0
1175
1176							# Received: from GWGC6-MTA by gc6.jefferson.co.us with Novell_GroupWise; Tue, 30 Nov 2004 10:09:15 -0700
1177	26	50				53	if (/^[^\.]+ by \S+ with Novell_GroupWise/) { return 0; }
	0					0
1178
1179							# Received: from no.name.available by [165.224.43.143] via smtpd (for [165.224.216.89]) with ESMTP; Fri, 28 Jan 2005 13:06:39 -0500
1180							# Received: from no.name.available by [165.224.216.88] via smtpd (for lists.sourceforge.net [66.35.250.206]) with ESMTP; Fri, 28 Jan 2005 15:42:30 -0500
1181							# These are from an internal host protected by a Raptor firewall, to hosts
1182							# outside the firewall. We can only ignore the handover since we don't have
1183							# enough info in those headers; however, from googling, it appears that
1184							# all samples are cases where the handover is safely ignored.
1185	26	50				43	if (/^no\.name\.available by \S+ via smtpd \(for /) { return 0; }
	0					0
1186
1187							# from 156.56.111.196 by blazing.arsecandle.org (envelope-from <gentoo-announce-return-530-rod=arsecandle.org@lists.gentoo.org>, uid 502) with qmail-scanner-1.24 (clamdscan: 0.80/594. f-prot: 4.4.2/3.14.11. Clear:RC:0(156.56.111.196):. Processed in 0.288806 secs); 06 Feb 2005 21:11:38 -0000
1188							# these are safe to ignore. the previous handover line has the full
1189							# details of the handover described here, it's just qmail-scanner
1190							# logging a little more.
1191	26	100				53	if (/^\S+ by \S+ $.{0,100}$ with qmail-scanner/) {
1192	1					6	$envfrom =~ s/^\s<//gs; $envfrom =~ s/>\s$//gs;
	1					16
1193	1					4	$envfrom =~ s/[\s\000\#\[\]\<\>\\|]/!/gs;
1194	1					5	$self->{qmail_scanner_env_from} = $envfrom; # hack!
1195	1					18	return 0;
1196							}
1197
1198							# Received: from mmail by argon.connect.org.uk with local (connectmail/exim)
1199							# id 18tOsg-0008FX-00; Thu, 13 Mar 2003 09:20:06 +0000
1200	25	50				53	if (/^\S+ by \S+ with local/) { return 0; }
	0					0
1201
1202							# Local unix socket handover from Cyrus, tested with v2.3.14
1203							# Received: from testintranator.net.vm ([unix socket])_ by testintranator.net.vm (Cyrus v2.3.14) with LMTPA;_ Tue, 21 Jul 2009 14:34:14 +0200
1204							# Attention: Actually the received header is parsed as "testintranator.net.vm ([unix socket]) by testintranator.net.vm (Cyrus v2.3.14) with LMTPA", "from" is ommited.
1205	25	50				56	if (/^\S+ $\[unix socket\]$ by \S+ $Cyrus v[0-9]?\.[0-9]?\.[0-9]*?$ with LMTPA/) { return 0; }
	0					0
1206
1207							# HANDOVERS WE KNOW WE CAN'T DEAL WITH: TCP transmission, but to MTAs that
1208							# just don't log enough info for us to use (ie. no IP address present).
1209							# Note: "return 0" is strongly recommended here, unless you're sure
1210							# the regexp won't match something in the field; otherwise ALL_TRUSTED may
1211							# fire even in the presence of an unparseable Received header.
1212
1213							# Received: from CATHY.IJS.SI by CATHY.IJS.SI (PMDF V4.3-10 #8779) id <01KTSSR50NSW001MXN@CATHY.IJS.SI>; Fri, 21 Mar 2003 20:50:56 +0100
1214							# Received: from MATT_LINUX by hippo.star.co.uk via smtpd (for mail.webnote.net [193.120.211.219]) with SMTP; 3 Jul 2002 15:43:50 UT
1215							# Received: from cp-its-ieg01.mail.saic.com by cpmx.mail.saic.com for me@jmason.org; Tue, 23 Jul 2002 14:09:10 -0700
1216	25	100				107	if (/^\S+ by \S+ (?:with\|via\|for\|\()/) { return 0; }
	20					272
1217
1218							# from senmail2.senate.gov with LMTP by senmail2 (3.0.2/sieved-3-0-build-942) for <example@vandinter.org>; Fri, 30 Jun 2006 10:58:41 -0400
1219							# from zimbramail.artsit.org.uk (unverified) by MAILSWEEP.birminghamartsit.org.uk (Clearswift SMTPRS 5.1.7) with ESMTP id <T78926b35f2c0a80003da8@MAILSWEEP.birminghamartsit.org.uk> for <discuss@lists.surbl.org>; Tue, 30 May 2006 15:56:15 +0100
1220	5	100				21	if (/^\S+ (?:(?:with\|via\|for) \S+\|$unverified$) by\b/) { return 0; }
	2					25
1221
1222							# from DL1GSPMX02 (dl1gspmx02.gamestop.com) by email.ebgames.com (LSMTP for Windows NT v1.1b) with SMTP id <21.000575A0@email.ebgames.com>; Tue, 12 Sep 2006 21:06:43 -0500
1223	3	100				9	if (/\(LSMTP for/) { return 0; }
	1					13
1224
1225							# if at this point we still haven't figured out the HELO string, see if we
1226							# can't just guess
1227	2	100	66			18	if (!$helo && /^(\S+)[^-A-Za-z0-9\.]/) { $helo = $1; }
	1					9
1228							}
1229
1230							# ---------------------------------------------------------------------------
1231
1232							elsif (s/^FROM //) {
1233							# simta: http://rsug.itd.umich.edu/software/simta/
1234							# Note the ugly uppercase FROM/BY/ID
1235							# Received: FROM hackers.mr.itd.umich.edu (smtp.mail.umich.edu [141.211.14.81])
1236							# BY madman.mr.itd.umich.edu ID 434B508E.174A6.13932 ; 11 Oct 2005 01:41:34 -0400
1237							# Received: FROM [192.168.1.24] (s233-64-90-216.try.wideopenwest.com [64.233.216.90])
1238							# BY hackers.mr.itd.umich.edu ID 434B5051.8CDE5.15436 ; 11 Oct 2005 01:40:33 -0400
1239	2	50				273	if (/^(\S+) $(\S+) \[(${IP_ADDRESS})\]$ BY (\S+) ID (\S+)$/ ) {
1240	2					6	$mta_looked_up_dns = 1;
1241	2					7	$helo = $1; $rdns = $2; $ip = $3; $by = $4; $id = $5;
	2					4
	2					10
	2					5
	2					3
1242	2					133	goto enough;
1243							}
1244							}
1245
1246							# ---------------------------------------------------------------------------
1247
1248							elsif (s/^\(from //) {
1249							# Norton AntiVirus Gateway
1250							# Received: (from localhost [24.180.47.240])
1251							# by host.name (NAVGW 2.5.2.12) with SMTP id M2006060503484615455
1252							# for <user@domain.co.uk>; Mon, 05 Jun 2006 03:48:47 +0100
1253	5	100				862	if (/^(\S) \[(${IP_ADDRESS})\]\) by (\S+) $NAVGW .?$ with /) {
1254	1					5	$helo = $1; $ip = $2; $by = $3;
	1					4
	1					2
1255	1					144	goto enough;
1256							}
1257
1258							# header produced by command line /usr/bin/sendmail -t -f username@example.com
1259							# Received: (from username@localhost) by home.example.com
1260							# (8.12.11/8.12.11/Submit) id iBADHRP6011034; Fri, 10 Dec 2004 13:17:27 GMT
1261	4	50				90	if (/^\S+\@localhost\) by \S+ /) { return 0; }
	4					34
1262
1263							# Received: (from vashugins@juno.com) by m06.lax.untd.com (jqueuemail) id LRVB3JAJ; Fri, 02 Jun 2006 08:15:21 PDT
1264	0	0				0	if (/^[^\s\@]+\@[^)]+\) by \S+$jqueuemail$ id [^\s;]+/) { return 0; }
	0					0
1265							}
1266
1267							# ---------------------------------------------------------------------------
1268
1269							# FALL-THROUGH: OK, at this point let's try some general patterns for things
1270							# we may not have already parsed out.
1271	2	50	33			244	if (!$ip && /\[(${IP_ADDRESS})\]/) { $ip = $1; }
	2					7
1272
1273							# ---------------------------------------------------------------------------
1274
1275							# We need to have a minimal amount of information to have a useful parse.
1276							# If we have the IP and the "by" name, move forward. If we don't, we'll
1277							# drop into the unparseable area.
1278	2	50	33			12	if ($ip && $by) { goto enough; }
	2					9
1279
1280							# Ok, we can't handle this header, go ahead and return that.
1281	0					0	return;
1282
1283							# ---------------------------------------------------------------------------
1284
1285							enough:
1286
1287							# OK, line parsed (at least partially); now deal with the contents
1288
1289							# flag handovers we couldn't get an IP address from at all
1290	177	50				618	if ($ip eq '') {
1291	0					0	dbg("received-header: could not parse IP address from: $_");
1292							}
1293
1294							# DISABLED: if we cut out localhost-to-localhost SMTP handovers,
1295							# we will give FPs on SPF checks -- since the SMTP "MAIL FROM" addr
1296							# will be recorded, but we won't have the relays handover recorded
1297							# for that SMTP transaction, so we wind up checking the wrong IP
1298							# for the addr.
1299	177					259	if (0) {
1300							if ($ip eq '127.0.0.1') {
1301							dbg("received-header: ignoring localhost handover");
1302							return 0; # ignore localhost handovers
1303							}
1304							}
1305
1306	177	50				1086	if ($rdns =~ /^unknown$/i) {
1307	0					0	$rdns = ''; # some MTAs seem to do this
1308							}
1309
1310	177					448	$ip =~ s/^ipv6://i; # remove "IPv6:" prefix
1311	177					345	$ip =~ s/^\[//; $ip =~ s/\]\z//;
	177					302
1312
1313							# IPv6 Scoped Address (RFC 4007, RFC 6874, RFC 3986 "unreserved" charset)
1314	177					307	$ip =~ s/%[A-Z0-9._~-]*\z//si; # scoped address? remove <zone_id>
1315
1316							# remove "::ffff:" prefix from IPv4-mapped-in-IPv6 addresses,
1317							# so we can treat them simply as IPv4 addresses
1318							# (only handles 'alternative form', not 'preferred form' - to be improved)
1319	177					283	$ip =~ s/^0:0:(?:0:)ffff:(\d+\.\d+\.\d+\.\d+)$/$1/i;
1320
1321	177					883	$envfrom =~ s/^\s<//gs; $envfrom =~ s/>\s$//gs;
	177					793
1322	177					353	$by =~ s/\;$//;
1323
1324							# ensure invalid chars are stripped. Replace with '!' to flag their
1325							# presence, though. NOTE: this means "[1.2.3.4]" IP addr HELO
1326							# strings, which are legit by RFC-2821, look like "!1.2.3.4!".
1327							# still useful though.
1328	177					384	$ip =~ s/[\s\000\#\[\]\<\>\\|]/!/gs;
1329	177					333	$rdns =~ s/[\s\000\#\[\]\<\>\\|]/!/gs;
1330	177					354	$helo =~ s/[\s\000\#\[\]\<\>\\|]/!/gs;
1331	177					329	$by =~ s/[\s\000\#\[\]\<\>\\|]/!/gs;
1332	177					257	$ident =~ s/[\s\000\#\[\]\<\>\\|]/!/gs;
1333	177					253	$envfrom =~ s/[\s\000\#\[\]\<\>\\|]/!/gs;
1334
1335	177					1734	my $relay = {
1336							ip => $ip,
1337							by => $by,
1338							helo => $helo,
1339							id => $id,
1340							ident => $ident,
1341							envfrom => $envfrom,
1342							lc_by => (lc $by),
1343							lc_helo => (lc $helo),
1344							auth => $auth
1345							};
1346
1347	177	100				481	if ($rdns eq '') {
1348	60	100				119	if ($mta_looked_up_dns) {
1349							# we know the MTA always does lookups, so this means the host
1350							# really has no rDNS (rather than that the MTA didn't bother
1351							# looking it up for us).
1352	14					28	$relay->{no_reverse_dns} = 1;
1353	14					438	$rdns = '';
1354							} else {
1355	46					103	$relay->{rdns_not_in_headers} = 1;
1356							}
1357							}
1358
1359	177					411	$relay->{rdns} = $rdns;
1360	177					446	$relay->{lc_rdns} = lc $rdns;
1361
1362	177					704	$self->make_relay_as_string($relay);
1363
1364	177					1033	my $is_private = ($ip =~ /${IP_PRIVATE}/o);
1365	177					370	$relay->{ip_private} = $is_private;
1366
1367							# add it to an internal array so Eval tests can use it
1368	177					1119	return $relay;
1369							}
1370
1371							sub make_relay_as_string {
1372	288			288	0	1033	my ($self, $relay) = @_;
1373
1374							# as-string rep. use spaces so things like Bayes can tokenize them easily.
1375							# NOTE: when tokenizing or matching, be sure to note that new
1376							# entries may be added to this string later. However, the order
1377							# of entries must be preserved, so that regexps that assume that
1378							# e.g. "ip" comes before "helo" will still work.
1379							#
1380	288					1428	my $asstr = "[ ip=$relay->{ip} rdns=$relay->{rdns} helo=$relay->{helo} by=$relay->{by} ident=$relay->{ident} envfrom=$relay->{envfrom} intl=0 id=$relay->{id} auth=$relay->{auth} msa=0 ]";
1381	288					1109	dbg("received-header: parsed as $asstr");
1382	288					744	$relay->{as_string} = $asstr;
1383							}
1384
1385							# restart the parse if we find a fetchmail marker or similar.
1386							# spamcop does this, and it's a great idea ;)
1387							sub found_pop_fetcher_sig {
1388	4			4	0	11	my ($self) = @_;
1389	4	100				12	if ($self->{allow_mailfetch_markers}) {
1390	1					5	dbg("received-header: found mail fetcher marker, restarting parse");
1391	1					2	$self->{relays_trusted} = [ ];
1392	1					5	$self->{relays_internal} = [ ];
1393	1					3	$self->{relays_external} = [ ];
1394							} else {
1395	3					12	dbg("received-header: found mail fetcher marker outside trusted area, ignored");
1396							}
1397							}
1398
1399							# ---------------------------------------------------------------------------
1400
1401							1;