sieve match ANY header

@lbutlr kremels at kreme.com
Wed Apr 10 03:09:10 EEST 2019 

On 9 Apr 2019, at 17:07, Joseph Tam via dovecot <dovecot at dovecot.org> wrote:
> On Mon, 8 Apr 2019, @lbutlr wrote:
> 
>> Really? Where outside the Received headers do IPs appear in your email headers?
> 
> Well, let's see.  Running a rough grep on 270-message spam folder
> 
> 	# grep -E '^[-A-Za-z0-9]+:.*[^.0-9]{0,1}[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' ~/mail/FN | sort -u -k1,1 -t:
> 	Authentication-Results: spf=fail (sender IP is 52.233.28.167)

a better IP regex: \b(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b

or

\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b

I checked a quarter million messages and all listed a domain in Authentication-result, not an IP, though to be fair some had matches like:

Authentication-Results: hostedmail.net.au; auth=pass smtp.auth=110.232.141.226 at out.zuver.net.au

> 	List-Help: <http://121.242.224.101/lists/admin/?p=preferences&uid=fb545e011f371409028a40346e99f6ff>
> 	List-Subscribe: <http://121.242.224.101/lists/admin/?p=subscribe>
> 	List-Unsubscribe: <http://121.242.224.101/lists/admin/?p=unsubscribe&uid=fb545e011f371409028a40346e99f6ff&jo=1>

I am quite sure I have never seen a mailing list with IPs in those header. But I did check. None. Some false matches along the lines of

List-Unsubscribe: <mailto:465465-4654-117-162.xxx.xxx.xxx-gmail at abuse.*munged*.com>
 
> 	Message-ID: <0.0.8.0.1D4BD9273731DDA.4A40C20 at scotiabank-ses.com>

Not an IP

> 	Received: from sonic308-11.consmr.mail.ne1.yahoo.com (sonic308-11.consmr.mail.ne1.yahoo.com [66.163.187.34])

Yes, I said received.

> 	Received-SPF: pass (google.com: domain of notification at facebookmail.com designates 66.220.155.142 as permitted sender) client-ip=66.220.155.142;

Yes, this is also a Received header, but sure.

<many X-headers>

And I wouldn't count any x-header.

Regardless, I don't think you can search all headers.


-- 
'You know the worst of it?' said Rincewind.
'Oook?'
'I don't even remember walking under a mirror.' --Mort

More information about the dovecot mailing list