Filename | /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Message/Metadata/Received.pm |
Statements | Executed 136205 statements in 2.06s |
Calls | P | F | Exclusive Time |
Inclusive Time |
Subroutine |
---|---|---|---|---|---|
1139 | 1 | 1 | 1.06s | 1.70s | parse_received_line | Mail::SpamAssassin::Message::Metadata::
234 | 1 | 1 | 368ms | 3.48s | parse_received_headers | Mail::SpamAssassin::Message::Metadata::
1041 | 1 | 1 | 51.2ms | 64.4ms | make_relay_as_string | Mail::SpamAssassin::Message::Metadata::
1 | 1 | 1 | 7.72ms | 161ms | BEGIN@49 | Mail::SpamAssassin::Message::Metadata::
1 | 1 | 1 | 43µs | 51µs | BEGIN@40 | Mail::SpamAssassin::Message::Metadata::
1 | 1 | 1 | 29µs | 533µs | BEGIN@51.2 | Mail::SpamAssassin::Message::Metadata::
1 | 1 | 1 | 20µs | 42µs | BEGIN@45 | Mail::SpamAssassin::Message::Metadata::
1 | 1 | 1 | 20µs | 26µs | BEGIN@44 | Mail::SpamAssassin::Message::Metadata::
1 | 1 | 1 | 20µs | 20µs | BEGIN@50 | Mail::SpamAssassin::Message::Metadata::
1 | 1 | 1 | 19µs | 71µs | BEGIN@47 | Mail::SpamAssassin::Message::Metadata::
1 | 1 | 1 | 19µs | 26µs | BEGIN@46 | Mail::SpamAssassin::Message::Metadata::
0 | 0 | 0 | 0s | 0s | found_pop_fetcher_sig | Mail::SpamAssassin::Message::Metadata::
Line | State ments |
Time on line |
Calls | Time in subs |
Code |
---|---|---|---|---|---|
1 | # <@LICENSE> | ||||
2 | # Licensed to the Apache Software Foundation (ASF) under one or more | ||||
3 | # contributor license agreements. See the NOTICE file distributed with | ||||
4 | # this work for additional information regarding copyright ownership. | ||||
5 | # The ASF licenses this file to you under the Apache License, Version 2.0 | ||||
6 | # (the "License"); you may not use this file except in compliance with | ||||
7 | # the License. You may obtain a copy of the License at: | ||||
8 | # | ||||
9 | # http://www.apache.org/licenses/LICENSE-2.0 | ||||
10 | # | ||||
11 | # Unless required by applicable law or agreed to in writing, software | ||||
12 | # distributed under the License is distributed on an "AS IS" BASIS, | ||||
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
14 | # See the License for the specific language governing permissions and | ||||
15 | # limitations under the License. | ||||
16 | # </@LICENSE> | ||||
17 | |||||
18 | # --------------------------------------------------------------------------- | ||||
19 | |||||
20 | # So, what's the difference between a trusted and untrusted Received header? | ||||
21 | # Basically, relays we *know* are trustworthy are 'trusted', all others after | ||||
22 | # the last one of those are 'untrusted'. | ||||
23 | # | ||||
24 | # We determine trust by detecting if they are inside the network ranges | ||||
25 | # specified in 'trusted_networks'. There is also an inference algorithm | ||||
26 | # which determines other trusted relays without user configuration. | ||||
27 | # | ||||
28 | # There's another type of Received header: the semi-trusted one. This is the | ||||
29 | # header added by *our* MX, at the boundary of trust; we can trust the IP | ||||
30 | # address (and possibly rDNS) in this header, but that's about it; HELO name is | ||||
31 | # untrustworthy. We just use this internally for now. | ||||
32 | # | ||||
33 | # Finally, there's also 'internal_networks'. These are the networks that you | ||||
34 | # control; your MXes should be included. This way, if you specify a wide range | ||||
35 | # of trusted hosts, a mail that is relayed from a dynamic IP address via a | ||||
36 | # 'trusted' host will not hit RCVD_IN_DYNABLOCK. | ||||
37 | |||||
38 | # --------------------------------------------------------------------------- | ||||
39 | |||||
40 | 2 | 80µs | 2 | 59µs | # spent 51µs (43+8) within Mail::SpamAssassin::Message::Metadata::BEGIN@40 which was called:
# once (43µs+8µs) by Mail::SpamAssassin::Message::Metadata::BEGIN@59 at line 40 # spent 51µs making 1 call to Mail::SpamAssassin::Message::Metadata::BEGIN@40
# spent 8µs making 1 call to strict::import |
41 | package Mail::SpamAssassin::Message::Metadata::Received; 1; | ||||
42 | |||||
43 | package Mail::SpamAssassin::Message::Metadata; | ||||
44 | 2 | 57µs | 2 | 32µs | # spent 26µs (20+6) within Mail::SpamAssassin::Message::Metadata::BEGIN@44 which was called:
# once (20µs+6µs) by Mail::SpamAssassin::Message::Metadata::BEGIN@59 at line 44 # spent 26µs making 1 call to Mail::SpamAssassin::Message::Metadata::BEGIN@44
# spent 6µs making 1 call to strict::import |
45 | 2 | 55µs | 2 | 65µs | # spent 42µs (20+22) within Mail::SpamAssassin::Message::Metadata::BEGIN@45 which was called:
# once (20µs+22µs) by Mail::SpamAssassin::Message::Metadata::BEGIN@59 at line 45 # spent 42µs making 1 call to Mail::SpamAssassin::Message::Metadata::BEGIN@45
# spent 22µs making 1 call to warnings::import |
46 | 2 | 57µs | 2 | 32µs | # spent 26µs (19+7) within Mail::SpamAssassin::Message::Metadata::BEGIN@46 which was called:
# once (19µs+7µs) by Mail::SpamAssassin::Message::Metadata::BEGIN@59 at line 46 # spent 26µs making 1 call to Mail::SpamAssassin::Message::Metadata::BEGIN@46
# spent 7µs making 1 call to bytes::import |
47 | 2 | 68µs | 2 | 122µs | # spent 71µs (19+52) within Mail::SpamAssassin::Message::Metadata::BEGIN@47 which was called:
# once (19µs+52µs) by Mail::SpamAssassin::Message::Metadata::BEGIN@59 at line 47 # spent 71µs making 1 call to Mail::SpamAssassin::Message::Metadata::BEGIN@47
# spent 52µs making 1 call to re::import |
48 | |||||
49 | 2 | 342µs | 1 | 161ms | # spent 161ms (7.72+153) within Mail::SpamAssassin::Message::Metadata::BEGIN@49 which was called:
# once (7.72ms+153ms) by Mail::SpamAssassin::Message::Metadata::BEGIN@59 at line 49 # spent 161ms making 1 call to Mail::SpamAssassin::Message::Metadata::BEGIN@49 |
50 | 2 | 65µs | 1 | 20µs | # spent 20µs within Mail::SpamAssassin::Message::Metadata::BEGIN@50 which was called:
# once (20µs+0s) by Mail::SpamAssassin::Message::Metadata::BEGIN@59 at line 50 # spent 20µs making 1 call to Mail::SpamAssassin::Message::Metadata::BEGIN@50 |
51 | 2 | 12.4ms | 2 | 1.04ms | # spent 533µs (29+505) within Mail::SpamAssassin::Message::Metadata::BEGIN@51.2 which was called:
# once (29µs+505µs) by Mail::SpamAssassin::Message::Metadata::BEGIN@59 at line 51 # spent 533µs making 1 call to Mail::SpamAssassin::Message::Metadata::BEGIN@51.2
# spent 505µs making 1 call to Exporter::import |
52 | |||||
53 | # --------------------------------------------------------------------------- | ||||
54 | |||||
55 | # spent 3.48s (368ms+3.11) within Mail::SpamAssassin::Message::Metadata::parse_received_headers which was called 234 times, avg 14.9ms/call:
# 234 times (368ms+3.11s) by Mail::SpamAssassin::Message::Metadata::extract at line 85 of Mail/SpamAssassin/Message/Metadata.pm, avg 14.9ms/call | ||||
56 | 234 | 720µs | my ($self, $permsgstatus, $msg) = @_; | ||
57 | |||||
58 | 234 | 778µs | my $suppl_attrib = $msg->{suppl_attrib}; # out-of-band info from a caller | ||
59 | |||||
60 | # a caller may assert that a message is coming from inside or from an | ||||
61 | # authenticated roaming users; this info may not be available in mail | ||||
62 | # header section, e.g. in case of nonstandard authentication mechanisms | ||||
63 | 234 | 455µs | my $originating; # boolean | ||
64 | 234 | 508µs | $originating = $suppl_attrib->{originating} if ref $suppl_attrib; | ||
65 | |||||
66 | 234 | 890µs | $self->{relays_trusted} = [ ]; | ||
67 | 234 | 856µs | $self->{num_relays_trusted} = 0; | ||
68 | 234 | 1.02ms | $self->{relays_trusted_str} = ''; | ||
69 | |||||
70 | 234 | 770µs | $self->{relays_untrusted} = [ ]; | ||
71 | 234 | 755µs | $self->{num_relays_untrusted} = 0; | ||
72 | 234 | 1.07ms | $self->{relays_untrusted_str} = ''; | ||
73 | |||||
74 | 234 | 697µs | $self->{relays_internal} = [ ]; | ||
75 | 234 | 707µs | $self->{num_relays_internal} = 0; | ||
76 | 234 | 828µs | $self->{relays_internal_str} = ''; | ||
77 | |||||
78 | 234 | 827µs | $self->{relays_external} = [ ]; | ||
79 | 234 | 779µs | $self->{num_relays_external} = 0; | ||
80 | 234 | 840µs | $self->{relays_external_str} = ''; | ||
81 | |||||
82 | 234 | 718µs | $self->{num_relays_unparseable} = 0; | ||
83 | |||||
84 | 234 | 986µs | $self->{last_trusted_relay_index} = -1; # last counting from the top, | ||
85 | 234 | 730µs | $self->{last_internal_relay_index} = -1; # first in time | ||
86 | |||||
87 | # now figure out what relays are trusted... | ||||
88 | 234 | 1.08ms | my $trusted = $permsgstatus->{main}->{conf}->{trusted_networks}; | ||
89 | 234 | 969µs | my $internal = $permsgstatus->{main}->{conf}->{internal_networks}; | ||
90 | 234 | 1.02ms | my $msa = $permsgstatus->{main}->{conf}->{msa_networks}; | ||
91 | 234 | 812µs | my $did_user_specify_trust = $permsgstatus->{main}->{conf}->{trusted_networks_configured}; | ||
92 | 234 | 901µs | my $did_user_specify_internal = $permsgstatus->{main}->{conf}->{internal_networks_configured}; | ||
93 | 234 | 496µs | my $in_trusted = 1; | ||
94 | 234 | 501µs | my $in_internal = 1; | ||
95 | 234 | 521µs | my $found_msa = 0; | ||
96 | |||||
97 | 234 | 1.20ms | unless ($did_user_specify_trust && $did_user_specify_internal) { | ||
98 | 234 | 1.02ms | if (!$did_user_specify_trust && !$did_user_specify_internal) { | ||
99 | 234 | 1.91ms | 234 | 1.77ms | dbg('config: trusted_networks are not configured; it is recommended '. # spent 1.77ms making 234 calls to Mail::SpamAssassin::Logger::dbg, avg 8µs/call |
100 | 'that you configure trusted_networks manually'); | ||||
101 | } elsif (!$did_user_specify_internal) { | ||||
102 | # use 'trusted' for 'internal'; compatibility with SpamAssassin 2.60 | ||||
103 | $internal = $trusted; | ||||
104 | dbg('config: internal_networks not configured, using trusted_networks '. | ||||
105 | 'configuration for internal_networks; if you really want '. | ||||
106 | 'internal_networks to only contain the required 127/8 add '. | ||||
107 | "'internal_networks !0/0' to your configuration"); | ||||
108 | } else { | ||||
109 | # use 'internal' for 'trusted'; I don't know why we let people define | ||||
110 | # internal without trusted, but we do... and we rely on trusted being set | ||||
111 | $trusted = $internal; | ||||
112 | dbg('config: trusted_networks not configured, using internal_networks '. | ||||
113 | 'configuration for trusted_networks'); | ||||
114 | } | ||||
115 | } | ||||
116 | |||||
117 | 234 | 574µs | my $IP_ADDRESS = IP_ADDRESS; | ||
118 | 234 | 596µs | my $IP_PRIVATE = IP_PRIVATE; | ||
119 | 234 | 521µs | my $LOCALHOST = LOCALHOST; | ||
120 | |||||
121 | 234 | 3.18ms | 234 | 40.9ms | my @hdrs = $msg->get_header('Received'); # spent 40.9ms making 234 calls to Mail::SpamAssassin::Message::Node::get_header, avg 175µs/call |
122 | |||||
123 | # Now add the single line headers like X-Originating-IP. (bug 5680) | ||||
124 | # we convert them into synthetic "Received" headers so we can share | ||||
125 | # code below. | ||||
126 | 468 | 7.68ms | for my $header (@{$permsgstatus->{main}->{conf}->{originating_ip_headers}}) | ||
127 | { | ||||
128 | 1170 | 7.75ms | 1170 | 119ms | my $str = $msg->get_header($header); # spent 119ms making 1170 calls to Mail::SpamAssassin::Message::Node::get_header, avg 102µs/call |
129 | 1170 | 3.47ms | 16 | 872µs | next unless ($str && $str =~ m/($IP_ADDRESS)/); # spent 704µs making 8 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 88µs/call
# spent 167µs making 8 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 21µs/call |
130 | 8 | 83µs | push @hdrs, "from X-Originating-IP: $1\n"; | ||
131 | } | ||||
132 | |||||
133 | 234 | 1.85ms | foreach my $line ( @hdrs ) { | ||
134 | |||||
135 | # qmail-scanner support hack: we may have had one of these set from the | ||||
136 | # previous (read: more recent) Received header. if so, add it on to this | ||||
137 | # header's set, since that's the handover it was describing. | ||||
138 | |||||
139 | 1139 | 1.82ms | my $qms_env_from; | ||
140 | 1139 | 2.45ms | if ($self->{qmail_scanner_env_from}) { | ||
141 | $qms_env_from = $self->{qmail_scanner_env_from}; | ||||
142 | delete $self->{qmail_scanner_env_from}; | ||||
143 | } | ||||
144 | |||||
145 | 1139 | 13.6ms | 1139 | 4.26ms | $line =~ s/\n[ \t]+/ /gs; # spent 4.26ms making 1139 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 4µs/call |
146 | |||||
147 | 1139 | 9.26ms | 1139 | 1.70s | my $relay = $self->parse_received_line ($line); # spent 1.70s making 1139 calls to Mail::SpamAssassin::Message::Metadata::parse_received_line, avg 1.49ms/call |
148 | 1139 | 2.28ms | if (!defined $relay) { | ||
149 | 11 | 148µs | 11 | 131µs | dbg("received-header: unparseable: $line"); # spent 131µs making 11 calls to Mail::SpamAssassin::Logger::dbg, avg 12µs/call |
150 | 11 | 35µs | $self->{num_relays_unparseable}++; | ||
151 | } | ||||
152 | |||||
153 | # undefined or 0 means there's no result, so goto the next header | ||||
154 | 1139 | 2.61ms | unless ($relay) { | ||
155 | 98 | 180µs | $self->{last_trusted_relay_index}++ if $in_trusted; | ||
156 | 98 | 184µs | $self->{last_internal_relay_index}++ if $in_internal; | ||
157 | 98 | 278µs | next; | ||
158 | } | ||||
159 | |||||
160 | # hack for qmail-scanner, as described above; add in the saved | ||||
161 | # metadata | ||||
162 | 1041 | 1.85ms | if ($qms_env_from) { | ||
163 | $relay->{envfrom} = $qms_env_from; | ||||
164 | $self->make_relay_as_string($relay); | ||||
165 | } | ||||
166 | |||||
167 | # relay status only changes when we're still in the trusted portion of the | ||||
168 | # relays and we haven't yet found an MSA | ||||
169 | 1041 | 3.25ms | if ($in_trusted && !$found_msa) { | ||
170 | 702 | 2.65ms | unless ($did_user_specify_trust || $did_user_specify_internal) { | ||
171 | # OK, infer the trusted/untrusted handover, we don't have real info | ||||
172 | 702 | 1.41ms | my $inferred_as_trusted = 0; | ||
173 | |||||
174 | # if the 'from' IP addr is in a reserved net range, it's not on | ||||
175 | # the public internet. | ||||
176 | 702 | 2.43ms | if ($relay->{ip_private}) { | ||
177 | 469 | 5.67ms | 469 | 5.44ms | dbg("received-header: 'from' ".$relay->{ip}." has private IP"); # spent 5.44ms making 469 calls to Mail::SpamAssassin::Logger::dbg, avg 12µs/call |
178 | 469 | 2.05ms | $inferred_as_trusted = 1; | ||
179 | } | ||||
180 | |||||
181 | # if we find authentication tokens in the received header we can extend | ||||
182 | # the trust boundary to that host | ||||
183 | 702 | 1.63ms | if ($relay->{auth}) { | ||
184 | 1 | 10µs | 1 | 7µs | dbg("received-header: authentication method ".$relay->{auth}); # spent 7µs making 1 call to Mail::SpamAssassin::Logger::dbg |
185 | 1 | 2µs | $inferred_as_trusted = 1; | ||
186 | } | ||||
187 | |||||
188 | # if the user didn't specify any trusted/internal config, everything | ||||
189 | # we assume as trusted is also internal, just like we'd do if they | ||||
190 | # specified trusted but not any internal networks or vice versa | ||||
191 | 702 | 3.07ms | if (!$inferred_as_trusted) { | ||
192 | 233 | 1.59ms | 233 | 1.82ms | dbg("received-header: do not trust any hosts from here on"); # spent 1.82ms making 233 calls to Mail::SpamAssassin::Logger::dbg, avg 8µs/call |
193 | 233 | 494µs | $in_trusted = 0; | ||
194 | 233 | 539µs | $in_internal = 0; | ||
195 | } | ||||
196 | |||||
197 | } else { | ||||
198 | # trusted_networks matches? | ||||
199 | if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) { | ||||
200 | if (!$originating) { | ||||
201 | $in_trusted = 0; # break the trust chain | ||||
202 | } else { # caller asserts a msg was submitted from inside or auth'd | ||||
203 | $found_msa = 1; # let's assume the previous hop was actually | ||||
204 | # an MSA, and propagate trust from here on | ||||
205 | dbg('received-header: originating, '. | ||||
206 | '%s and remaining relays will be considered trusted%s', | ||||
207 | $relay->{ip}, !$in_internal ? '' : ', but no longer internal'); | ||||
208 | } | ||||
209 | $in_internal = 0; # if it's not trusted it's not internal | ||||
210 | } else { | ||||
211 | # internal_networks matches? | ||||
212 | if ($in_internal && !$relay->{auth} && !$internal->contains_ip($relay->{ip})) { | ||||
213 | $in_internal = 0; | ||||
214 | } | ||||
215 | # msa_networks matches? | ||||
216 | if ($msa->contains_ip($relay->{ip})) { | ||||
217 | dbg('received-header: found MSA relay, remaining relays will be'. | ||||
218 | ' considered trusted: '.($in_trusted ? 'yes' : 'no'). | ||||
219 | ' internal: '.($in_internal ? 'yes' : 'no')); | ||||
220 | $found_msa = 1; | ||||
221 | $relay->{msa} = 1; | ||||
222 | } | ||||
223 | } | ||||
224 | } | ||||
225 | } | ||||
226 | |||||
227 | dbg("received-header: relay ".$relay->{ip}. | ||||
228 | " trusted? ".($in_trusted ? "yes" : "no"). | ||||
229 | " internal? ".($in_internal ? "yes" : "no"). | ||||
230 | 1041 | 16.1ms | 1041 | 11.5ms | " msa? ".($relay->{msa} ? "yes" : "no")); # spent 11.5ms making 1041 calls to Mail::SpamAssassin::Logger::dbg, avg 11µs/call |
231 | |||||
232 | 1041 | 4.25ms | $relay->{internal} = $in_internal; | ||
233 | 1041 | 4.71ms | $relay->{msa} ||= 0; | ||
234 | |||||
235 | # be sure to mark up the as_string version for users too | ||||
236 | 1041 | 62.9ms | 3123 | 16.2ms | $relay->{as_string} =~ s/ intl=\d / intl=$relay->{internal} /; # spent 9.31ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 9µs/call
# spent 6.91ms making 2082 calls to Mail::SpamAssassin::Message::Metadata::CORE:substcont, avg 3µs/call |
237 | 1041 | 35.7ms | 3123 | 12.5ms | $relay->{as_string} =~ s/ msa=\d / msa=$relay->{msa} /; # spent 7.42ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 7µs/call
# spent 5.11ms making 2082 calls to Mail::SpamAssassin::Message::Metadata::CORE:substcont, avg 2µs/call |
238 | |||||
239 | 1041 | 4.18ms | if ($in_trusted) { | ||
240 | 938 | 3.57ms | push (@{$self->{relays_trusted}}, $relay); | ||
241 | 469 | 1.47ms | $self->{allow_fetchmail_markers} = 1; | ||
242 | 469 | 1.04ms | $self->{last_trusted_relay_index}++; | ||
243 | } else { | ||||
244 | 1144 | 4.21ms | push (@{$self->{relays_untrusted}}, $relay); | ||
245 | 572 | 1.38ms | $self->{allow_fetchmail_markers} = 0; | ||
246 | } | ||||
247 | |||||
248 | 1041 | 9.24ms | if ($in_internal) { | ||
249 | 938 | 3.07ms | push (@{$self->{relays_internal}}, $relay); | ||
250 | 469 | 1.09ms | $self->{last_internal_relay_index}++; | ||
251 | } else { | ||||
252 | 1144 | 3.60ms | push (@{$self->{relays_external}}, $relay); | ||
253 | } | ||||
254 | } | ||||
255 | |||||
256 | 469 | 1.57ms | $self->{relays_trusted_str} = join(' ', map { $_->{as_string} } | ||
257 | 468 | 5.39ms | @{$self->{relays_trusted}}); | ||
258 | 572 | 1.81ms | $self->{relays_untrusted_str} = join(' ', map { $_->{as_string} } | ||
259 | 468 | 4.77ms | @{$self->{relays_untrusted}}); | ||
260 | 469 | 1.32ms | $self->{relays_internal_str} = join(' ', map { $_->{as_string} } | ||
261 | 468 | 5.11ms | @{$self->{relays_internal}}); | ||
262 | 572 | 1.63ms | $self->{relays_external_str} = join(' ', map { $_->{as_string} } | ||
263 | 468 | 4.52ms | @{$self->{relays_external}}); | ||
264 | |||||
265 | # OK, we've now split the relay list into trusted and untrusted. | ||||
266 | |||||
267 | # add the stringified representation to the message object, so Bayes | ||||
268 | # and rules can use it. Note that rule_tests.t does not impl put_metadata, | ||||
269 | # so protect against that here. These will not appear in the final | ||||
270 | # message; they're just used internally. | ||||
271 | |||||
272 | 234 | 5.31ms | 234 | 2.01ms | if ($self->{msg}->can ("delete_header")) { # spent 2.01ms making 234 calls to UNIVERSAL::can, avg 9µs/call |
273 | 234 | 4.25ms | 234 | 328ms | $self->{msg}->delete_header ("X-Spam-Relays-Trusted"); # spent 328ms making 234 calls to Mail::SpamAssassin::Message::Node::delete_header, avg 1.40ms/call |
274 | 234 | 3.56ms | 234 | 277ms | $self->{msg}->delete_header ("X-Spam-Relays-Untrusted"); # spent 277ms making 234 calls to Mail::SpamAssassin::Message::Node::delete_header, avg 1.18ms/call |
275 | 234 | 3.97ms | 234 | 262ms | $self->{msg}->delete_header ("X-Spam-Relays-Internal"); # spent 262ms making 234 calls to Mail::SpamAssassin::Message::Node::delete_header, avg 1.12ms/call |
276 | 234 | 3.20ms | 234 | 306ms | $self->{msg}->delete_header ("X-Spam-Relays-External"); # spent 306ms making 234 calls to Mail::SpamAssassin::Message::Node::delete_header, avg 1.31ms/call |
277 | |||||
278 | 234 | 3.62ms | 234 | 1.06ms | if ($self->{msg}->can ("put_metadata")) { # spent 1.06ms making 234 calls to UNIVERSAL::can, avg 5µs/call |
279 | $self->{msg}->put_metadata ("X-Spam-Relays-Trusted", | ||||
280 | 234 | 2.10ms | 234 | 4.33ms | $self->{relays_trusted_str}); # spent 4.33ms making 234 calls to Mail::SpamAssassin::Message::put_metadata, avg 19µs/call |
281 | $self->{msg}->put_metadata ("X-Spam-Relays-Untrusted", | ||||
282 | 234 | 1.82ms | 234 | 4.21ms | $self->{relays_untrusted_str}); # spent 4.21ms making 234 calls to Mail::SpamAssassin::Message::put_metadata, avg 18µs/call |
283 | $self->{msg}->put_metadata ("X-Spam-Relays-Internal", | ||||
284 | 234 | 1.78ms | 234 | 4.15ms | $self->{relays_internal_str}); # spent 4.15ms making 234 calls to Mail::SpamAssassin::Message::put_metadata, avg 18µs/call |
285 | $self->{msg}->put_metadata ("X-Spam-Relays-External", | ||||
286 | 234 | 1.76ms | 234 | 4.01ms | $self->{relays_external_str}); # spent 4.01ms making 234 calls to Mail::SpamAssassin::Message::put_metadata, avg 17µs/call |
287 | } | ||||
288 | } | ||||
289 | |||||
290 | # be helpful; save some cumbersome typing | ||||
291 | 468 | 1.57ms | $self->{num_relays_trusted} = scalar (@{$self->{relays_trusted}}); | ||
292 | 468 | 1.62ms | $self->{num_relays_untrusted} = scalar (@{$self->{relays_untrusted}}); | ||
293 | 468 | 1.51ms | $self->{num_relays_internal} = scalar (@{$self->{relays_internal}}); | ||
294 | 468 | 1.51ms | $self->{num_relays_external} = scalar (@{$self->{relays_external}}); | ||
295 | |||||
296 | 234 | 2.53ms | 234 | 1.89ms | dbg("metadata: X-Spam-Relays-Trusted: ".$self->{relays_trusted_str}); # spent 1.89ms making 234 calls to Mail::SpamAssassin::Logger::dbg, avg 8µs/call |
297 | 234 | 2.46ms | 234 | 1.71ms | dbg("metadata: X-Spam-Relays-Untrusted: ".$self->{relays_untrusted_str}); # spent 1.71ms making 234 calls to Mail::SpamAssassin::Logger::dbg, avg 7µs/call |
298 | 234 | 2.10ms | 234 | 1.58ms | dbg("metadata: X-Spam-Relays-Internal: ".$self->{relays_internal_str}); # spent 1.58ms making 234 calls to Mail::SpamAssassin::Logger::dbg, avg 7µs/call |
299 | 234 | 4.98ms | 234 | 1.64ms | dbg("metadata: X-Spam-Relays-External: ".$self->{relays_external_str}); # spent 1.64ms making 234 calls to Mail::SpamAssassin::Logger::dbg, avg 7µs/call |
300 | } | ||||
301 | |||||
302 | # --------------------------------------------------------------------------- | ||||
303 | |||||
304 | # returns undef if the header just couldn't be parsed | ||||
305 | # returns 0 if the header was specifically skipped | ||||
306 | # returns a hash of information if the header is parsed, including: | ||||
307 | # ip => $ip, | ||||
308 | # by => $by, | ||||
309 | # helo => $helo, | ||||
310 | # id => $id, | ||||
311 | # ident => $ident, | ||||
312 | # envfrom => $envfrom, | ||||
313 | # lc_by => (lc $by), | ||||
314 | # lc_helo => (lc $helo), | ||||
315 | # auth => $auth | ||||
316 | # | ||||
317 | # spent 1.70s (1.06+640ms) within Mail::SpamAssassin::Message::Metadata::parse_received_line which was called 1139 times, avg 1.49ms/call:
# 1139 times (1.06s+640ms) by Mail::SpamAssassin::Message::Metadata::parse_received_headers at line 147, avg 1.49ms/call | ||||
318 | 1139 | 3.38ms | my ($self) = shift; | ||
319 | 1139 | 6.48ms | local ($_) = shift; | ||
320 | 1139 | 8.37ms | local ($1,$2,$3,$4,$5,$6); | ||
321 | |||||
322 | 1139 | 49.0ms | 1139 | 40.9ms | s/\s+/ /g; # spent 40.9ms making 1139 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 36µs/call |
323 | 1139 | 10.9ms | 1139 | 2.81ms | s/^ //; # spent 2.81ms making 1139 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 2µs/call |
324 | 1139 | 17.7ms | 1139 | 10.1ms | s/ $//; # spent 10.1ms making 1139 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 9µs/call |
325 | |||||
326 | # get rid of invalid semicolon at the end of the header | ||||
327 | 1139 | 13.5ms | 1139 | 2.78ms | 1 while s/\s?;$//; # spent 2.78ms making 1139 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 2µs/call |
328 | |||||
329 | 1139 | 2.32ms | my $ip = ''; | ||
330 | 1139 | 2.12ms | my $helo = ''; | ||
331 | 1139 | 2.05ms | my $rdns = ''; | ||
332 | 1139 | 2.08ms | my $by = ''; | ||
333 | 1139 | 2.04ms | my $id = ''; | ||
334 | 1139 | 2.05ms | my $ident = ''; | ||
335 | 1139 | 2.30ms | my $envfrom = ''; | ||
336 | 1139 | 2.00ms | my $mta_looked_up_dns = 0; | ||
337 | 1139 | 2.03ms | my $IP_ADDRESS = IP_ADDRESS; | ||
338 | 1139 | 2.04ms | my $IP_PRIVATE = IP_PRIVATE; | ||
339 | 1139 | 2.01ms | my $LOCALHOST = LOCALHOST; | ||
340 | 1139 | 2.21ms | my $auth = ''; | ||
341 | |||||
342 | # --------------------------------------------------------------------------- | ||||
343 | |||||
344 | # We care about lines starting with from. all of the others are ignorable: | ||||
345 | # Bug 4943: give /^(from/ a chance to be parsed | ||||
346 | # | ||||
347 | # (qmail 27981 invoked by uid 225); 14 Mar 2003 07:24:34 -0000 | ||||
348 | # (qmail 84907 invoked from network); 13 Feb 2003 20:59:28 -0000 | ||||
349 | # (ofmipd 208.31.42.38); 17 Mar 2003 04:09:01 -0000 | ||||
350 | # by faerber.muc.de (OpenXP/32 v3.9.4 (Win32) alpha @ 2003-03-07-1751d); 07 Mar 2003 22:10:29 +0000 | ||||
351 | # by x.x.org (bulk_mailer v1.13); Wed, 26 Mar 2003 20:44:41 -0600 | ||||
352 | # by SPIDERMAN with Internet Mail Service (5.5.2653.19) id <19AF8VY2>; Tue, 25 Mar 2003 11:58:27 -0500 | ||||
353 | # by oak.ein.cz (Postfix, from userid 1002) id DABBD1BED3; Thu, 13 Feb 2003 14:02:21 +0100 (CET) | ||||
354 | # OTM-MIX(otm-mix00) id k5N1aDtp040896; Fri, 23 Jun 2006 10:36:14 +0900 (JST) | ||||
355 | # at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2) from infodrom.org by finlandia.Infodrom.North.DE via smail from stdin id <m1FglM8-000okjC@finlandia.Infodrom.North.DE> for debian-security-announce@lists.debian.org; Thu, 18 May 2006 18:28:08 +0200 (CEST) | ||||
356 | # with ECARTIS (v1.0.0; list bind-announce); Fri, 18 Aug 2006 07:19:58 +0000 (UTC) | ||||
357 | # Received: Message by Barricade wilhelm.eyp.ee with ESMTP id h1I7hGU06122 for <spamassassin-talk@lists.sourceforge.net>; Tue, 18 Feb 2003 09:43:16 +0200 | ||||
358 | 1139 | 26.9ms | 1139 | 10.7ms | return 0 if (!/^\(?from /i); # spent 10.7ms making 1139 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 9µs/call |
359 | |||||
360 | # from www-data by wwwmail.documenta.de (Exim 4.50) with local for <example@vandinter.org> id 1GFbZc-0006QV-L8; Tue, 22 Aug 2006 21:06:04 +0200 | ||||
361 | # from server.yourhostingaccount.com with local for example@vandinter.org id 1GDtdl-0002GU-QE (8710); Thu, 17 Aug 2006 21:59:17 -0400 | ||||
362 | 1063 | 19.4ms | 1063 | 3.31ms | return 0 if /\bwith local for\b/; # spent 3.31ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
363 | |||||
364 | # Received: from virtual-access.org by bolero.conactive.com ; Thu, 20 Feb 2003 23:32:58 +0100 | ||||
365 | # Received: FROM ca-ex-bridge1.nai.com BY scwsout1.nai.com ; Fri Feb 07 10:18:12 2003 -0800 | ||||
366 | # but not: Received: from [86.122.158.69] by mta2.iomartmail.com; Thu, 2 Aug 2007 21:50:04 -0200 | ||||
367 | 1063 | 15.4ms | 1063 | 8.92ms | if (/^from (\S+) by [^\s;]+ ?;/i && $1 !~ /^\[[\d.]+\]$/) { return 0; } # spent 8.92ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 8µs/call |
368 | |||||
369 | # --------------------------------------------------------------------------- | ||||
370 | |||||
371 | # Let's get rid of the date at the end | ||||
372 | # ; Tue, 23 May 2006 13:06:35 -0400 | ||||
373 | 1063 | 39.0ms | 1063 | 31.8ms | s/[\s;]+(?:(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), )?\d+ (?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec) \d+ \d+:\d+(?::\d+)? \S+$//; # spent 31.8ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 30µs/call |
374 | |||||
375 | # from av0001.technodiva.com (localhost [127.0.0.1])by localhost.technodiva.com (Postfix) with ESMTP id 846CF2117for <proftp-user@lists.sourceforge.net>; Mon, 7 Aug 2006 17:48:07 +0200 (MEST) | ||||
376 | 1063 | 11.8ms | 1063 | 3.57ms | s/\)by /) by /; # spent 3.57ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 3µs/call |
377 | |||||
378 | # --------------------------------------------------------------------------- | ||||
379 | |||||
380 | # OK -- given knowledge of most Received header formats, | ||||
381 | # break them down. We have to do something like this, because | ||||
382 | # some MTAs will swap position of rdns and helo -- so we can't | ||||
383 | # simply use simplistic regexps. | ||||
384 | |||||
385 | # try to catch unique message identifier | ||||
386 | 1063 | 19.1ms | 1063 | 9.25ms | if (/ id <?([^\s<>;]{3,})/) { # spent 9.25ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 9µs/call |
387 | 1006 | 3.60ms | $id = $1; | ||
388 | } | ||||
389 | |||||
390 | 1063 | 37.5ms | 2117 | 16.1ms | if (/\bhelo=([-A-Za-z0-9\.\^+_&:=?!@%*\$\\\/]+)(?:[^-A-Za-z0-9\.\^+_&:=?!@%*\$\\\/]|$)/) { # spent 16.1ms making 2117 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 8µs/call |
391 | 9 | 31µs | $helo = $1; | ||
392 | } | ||||
393 | elsif (/\b(?:HELO|EHLO) ([-A-Za-z0-9\.\^+_&:=?!@%*\$\\\/]+)(?:[^-A-Za-z0-9\.\^+_&:=?!@%*\$\\\/]|$)/) { | ||||
394 | 4 | 13µs | $helo = $1; | ||
395 | } | ||||
396 | 2116 | 21.1ms | 1063 | 8.22ms | if (/ by (\S+)(?:[^-A-Za-z0-9\;\.]|$)/) { $by = $1; } # spent 8.22ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 8µs/call |
397 | |||||
398 | # --------------------------------------------------------------------------- | ||||
399 | |||||
400 | # try to catch authenticated message identifier | ||||
401 | # | ||||
402 | # with ESMTPA, ESMTPSA, LMTPA, LMTPSA should cover RFC 3848 compliant MTAs, | ||||
403 | # UTF8SMTPA and UTF8LMTPA are covered by RFC 4954 and RFC 6531, | ||||
404 | # with ASMTP (Authenticated SMTP) is used by Earthlink, Exim 4.34, and others | ||||
405 | # with HTTP should only be authenticated webmail sessions | ||||
406 | # with HTTPU is used by Communigate Pro with Pronto! webmail interface | ||||
407 | # IANA registry: http://www.iana.org/assignments/mail-parameters/mail-parameters.xhtml | ||||
408 | 1063 | 178ms | 13571 | 73.5ms | if (/ by / && / with ((?:ES|L|UTF8S|UTF8L)MTPS?A|ASMTP|HTTPU?)(?: |;|$)/i) { # spent 61.4ms making 12528 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call
# spent 12.1ms making 1043 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 12µs/call |
409 | 19 | 65µs | $auth = $1; | ||
410 | } | ||||
411 | # GMail should use ESMTPSA to indicate that it is in fact authenticated, | ||||
412 | # but doesn't. | ||||
413 | elsif (/ by mx\.google\.com with ESMTPS id [a-z0-9]{1,4}sm[0-9]{2,9}[a-z]{3}\.[0-9]{1,3}\.[0-9]{4}\.(?:[0-6][0-9]\.){4}[0-6][0-9]/ && /\(version=([^ ]+) cipher=([^\)]+)\)/ ) { | ||||
414 | $auth = 'GMail - transport=' . $1 . ' cipher=' . $2; | ||||
415 | } | ||||
416 | # Courier v0.47 and possibly others | ||||
417 | elsif (/^from .*?(?:\]\)|\)\]) \(AUTH: (LOGIN|PLAIN|DIGEST-MD5|CRAM-MD5) \S+(?:, .*?)?\) by /) { | ||||
418 | $auth = $1; | ||||
419 | } | ||||
420 | # Sendmail, MDaemon, some webmail servers, and others | ||||
421 | elsif (/authenticated/ && /^from .*?(?:\](?: \([^)]*\))?\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) { | ||||
422 | 1 | 2µs | $auth = 'Sendmail'; | ||
423 | } | ||||
424 | # workaround for GMX, which authenticates users but does not indicate it properly - # SMTP version | ||||
425 | elsif (/from \S* \((?:HELO|EHLO) (\S*)\) \[(${IP_ADDRESS})\] by (mail\.gmx\.(?:net|com)) \([^\)]+\) with ((?:ESMTP|SMTP))/) { | ||||
426 | $auth = "GMX ($4 / $3)"; | ||||
427 | } | ||||
428 | # Critical Path Messaging Server | ||||
429 | elsif (/ \(authenticated as /&&/\) by .+ \(\d{1,2}\.\d\.\d{3}(?:\.\d{1,3})?\) \(authenticated as .+\) id /) { | ||||
430 | 4 | 10µs | $auth = 'CriticalPath'; | ||
431 | } | ||||
432 | # Postfix 2.3 and later with "smtpd_sasl_authenticated_header yes" | ||||
433 | elsif (/\) \(Authenticated sender: \S+\) by \S+ \(Postfix\) with /) { | ||||
434 | $auth = 'Postfix'; | ||||
435 | } | ||||
436 | # Communigate Pro - Bug 6495 adds HTTP as possible transmission method | ||||
437 | elsif (/CommuniGate Pro (HTTP|SMTP)/ && / \(account /) { | ||||
438 | $auth = 'Communigate'; | ||||
439 | } | ||||
440 | # Microsoft Exchange (complete with syntax error) | ||||
441 | elsif (/ with Microsoft Exchange Server HTTP-DAV\b/) { | ||||
442 | $auth = 'HTTP-DAV'; | ||||
443 | } | ||||
444 | # froufrou mailers like United Internet use a '(via HTTP)' comment, Bug 7101 | ||||
445 | elsif (/ by / && / \(via (HTTP.?)\)(?: |;|$)/i) { | ||||
446 | $auth = $1; | ||||
447 | } | ||||
448 | |||||
449 | # --------------------------------------------------------------------------- | ||||
450 | |||||
451 | 1063 | 17.1ms | 1063 | 10.1ms | if (s/^from //) { # spent 10.1ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 9µs/call |
452 | # try to catch enveloper senders | ||||
453 | 1063 | 35.0ms | 1063 | 19.4ms | if (/(?:return-path:? |envelope-(?:sender|from)[ =])(\S+)\b/i) { # spent 19.4ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 18µs/call |
454 | 34 | 120µs | $envfrom = $1; | ||
455 | } | ||||
456 | |||||
457 | # from 142.169.110.122 (SquirrelMail authenticated user synapse) by | ||||
458 | # mail.nomis80.org with HTTP; Sat, 3 Apr 2004 10:33:43 -0500 (EST) | ||||
459 | # Expanded to NaSMail Bug 6783 | ||||
460 | 1063 | 11.2ms | 1063 | 3.20ms | if (/ \((?:SquirrelMail|NaSMail) authenticated user /) { # spent 3.20ms making 1063 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
461 | #REVERTING bug 3236 and implementing re: bug 6549 | ||||
462 | if (/(${IP_ADDRESS})\b(?![.-]).{10,80}by (\S+) with HTTP/) { | ||||
463 | $ip = $1; $by = $2; goto enough; | ||||
464 | } | ||||
465 | } | ||||
466 | |||||
467 | # AOL WebMail headers | ||||
468 | 1063 | 18.1ms | 1067 | 3.21ms | if (/aol\.com/ && /with HTTP \(WebMailUI\)/) { # spent 3.21ms making 1067 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
469 | # Received: from 82.135.198.129 by FWM-M18.sysops.aol.com (64.12.168.82) with HTTP (WebMailUI); Tue, 19 Jun 2007 11:16:54 -0400 | ||||
470 | if(/(${IP_ADDRESS}) by (\S+) \(${IP_ADDRESS}\) with HTTP \(WebMailUI\)/) { | ||||
471 | $ip = $1; $by = $2; goto enough; | ||||
472 | } | ||||
473 | } | ||||
474 | |||||
475 | # catch MS-ish headers here | ||||
476 | 1063 | 53.8ms | 6070 | 20.0ms | if (/ SMTPSVC/) { # spent 20.0ms making 6070 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
477 | # MS servers using this fmt do not lookup the rDNS. | ||||
478 | # Received: from inet-vrs-05.redmond.corp.microsoft.com ([157.54.6.157]) | ||||
479 | # by INET-IMC-05.redmond.corp.microsoft.com with Microsoft | ||||
480 | # SMTPSVC(5.0.2195.6624); Thu, 6 Mar 2003 12:02:35 -0800 | ||||
481 | # Received: from 0 ([61.31.135.91]) by bass.bass.com.eg with Microsoft | ||||
482 | # SMTPSVC(5.0.2195.6713); Tue, 21 Sep 2004 08:59:06 +0300 | ||||
483 | # Received: from 0 ([61.31.138.57] RDNS failed) by nccdi.com with | ||||
484 | # Microsoft SMTPSVC(6.0.3790.0); Thu, 23 Sep 2004 08:51:06 -0700 | ||||
485 | # Received: from tthompson ([217.35.105.172] unverified) by | ||||
486 | # mail.neosinteractive.com with Microsoft SMTPSVC(5.0.2195.5329); | ||||
487 | # Tue, 11 Mar 2003 13:23:01 +0000 | ||||
488 | # Received: from ([172.16.1.78]) by email2.codeworksonline.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Sep 2006 21:14:29 -0400 | ||||
489 | 29 | 1.78ms | 58 | 1.42ms | if (/^(\S*) \(\[(${IP_ADDRESS})\][^\)]{0,40}\) by (\S+) with Microsoft SMTPSVC/) { # spent 772µs making 29 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 27µs/call
# spent 645µs making 29 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 22µs/call |
490 | $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
491 | } | ||||
492 | |||||
493 | # Received: from mail pickup service by mail1.insuranceiq.com with | ||||
494 | # Microsoft SMTPSVC; Thu, 13 Feb 2003 19:05:39 -0500 | ||||
495 | 29 | 296µs | 29 | 84µs | if (/^mail pickup service by (\S+) with Microsoft SMTPSVC$/) { # spent 84µs making 29 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
496 | return 0; | ||||
497 | } | ||||
498 | } | ||||
499 | |||||
500 | elsif (/\[XMail /) { # bug 3791, bug 4053 | ||||
501 | # Received: from list.brainbuzz.com (63.146.189.86:23198) by mx1.yourtech.net with [XMail 1.20 ESMTP Server] id <S72E> for <jason@ellingson.org.spamassassin.org> from <bounce-cscommunity-11965901@list.cramsession.com.spamassassin.org>; Sat, 18 Sep 2004 23:17:54 -0500 | ||||
502 | # Received: from list.brainbuzz.com (63.146.189.86:23198) by mx1.yourtech.net (209.32.147.34:25) with [XMail 1.20 ESMTP Server] id <S72E> for <jason@ellingson.org.spamassassin.org> from <bounce-cscommunity-11965901@list.cramsession.com.spamassassin.org>; Sat, 18 Sep 2004 23:17:54 -0500 | ||||
503 | if (/^(\S+) \((\[?${IP_ADDRESS}\]?)(?::\d+)\) by (\S+)(?: \(\S+\))? with \[XMail/) | ||||
504 | { | ||||
505 | $helo = $1; $ip = $2; $by = $3; | ||||
506 | / id <(\S+)>/ and $id = $1; | ||||
507 | / from <(\S+)>/ and $envfrom = $1; | ||||
508 | goto enough; | ||||
509 | } | ||||
510 | } | ||||
511 | |||||
512 | # from ([10.225.209.19:33672]) by ecelerity-va-1 (ecelerity HEAD) with SMTP id EE/20-30863-33CE1054; Fri, 08 Sep 2006 18:18:27 -0400 | ||||
513 | # from ([127.0.0.1:32923]) by bm1-21.ed10.com (ecelerity 2.1.1ea r(11031M)) with ECSTREAM id 8B/57-16227-3764EB44 for <example@vandinter.org>; Wed, 19 Jul 2006 10:49:23 -0400 | ||||
514 | # from ([192.168.1.151:49601] helo=dev1.democracyinaction.org) by m12.prod.democracyinaction.com (ecelerity 2.1.1.3 r(11743)) with ESMTP id 52/92-02454-89FBA054 for <example@vandinter.org>; Fri, 15 Sep 2006 10:58:32 -0400 | ||||
515 | elsif (/\(ecelerity\b/) { | ||||
516 | 17 | 962µs | 34 | 742µs | if (/^\(\[(${IP_ADDRESS}):\d+\] helo=(\S+)\) by (\S+) /) { # spent 668µs making 17 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 39µs/call
# spent 75µs making 17 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
517 | $ip = $1; $helo = $2; $by = $3; | ||||
518 | goto enough; | ||||
519 | } | ||||
520 | |||||
521 | 17 | 938µs | 34 | 713µs | if (/^\S+ \(\[(${IP_ADDRESS}):\d+\]\) by (\S+) /) { # spent 531µs making 17 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 31µs/call
# spent 182µs making 17 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 11µs/call |
522 | 26 | 77µs | $ip = $1; $by = $2; | ||
523 | 13 | 1.59ms | goto enough; | ||
524 | } | ||||
525 | } | ||||
526 | |||||
527 | elsif (/Exim/) { | ||||
528 | # one of the HUGE number of Exim formats :( | ||||
529 | # This must be scriptable. (update: it is. cf bug 3950, 3582) | ||||
530 | # mss 2004-09-27: See <http://www.exim.org/exim-html-4.40/doc/html/spec_14.html#IX1315> | ||||
531 | |||||
532 | # from root (helo=candygram.thunk.org) by thunker.thunk.org with local-esmtps (tls_cipher TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50 #1 (Debian)) id 1FwHqR-0008Bw-OG; Fri, 30 Jun 2006 08:11:35 -0400 | ||||
533 | # from root (helo=localhost) by broadcast.iac.iafrica.com with local-bsmtp (Exim 4.30; FreeBSD) id 1GN22d-0000xp-2K for example@vandinter.org; Tue, 12 Sep 2006 08:46:43 +0200 | ||||
534 | # from smarter (helo=localhost) by mx1-out.lists.smarterliving.com with local-bsmtp (Exim 4.24) id 1GIRA2-0007IZ-4n for example@vandinter.org; Wed, 30 Aug 2006 10:35:22 -0400 | ||||
535 | # Received: from andrew by trinity.supernews.net with local (Exim 4.12) id 18xeL6-000Dn1-00; Tue, 25 Mar 2003 02:39:00 +0000 | ||||
536 | 5 | 80µs | 3 | 16µs | if (/\bwith local(?:-\S+)? /) { return 0; } # spent 16µs making 3 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
537 | |||||
538 | # Received: from [61.174.163.26] (helo=host) by sc8-sf-list1.sourceforge.net with smtp (Exim 3.31-VA-mm2 #1 (Debian)) id 18t2z0-0001NX-00 for <razor-users@lists.sourceforge.net>; Wed, 12 Mar 2003 01:57:10 -0800 | ||||
539 | # Received: from [218.19.142.229] (helo=hotmail.com ident=yiuhyotp) by yzordderrex with smtp (Exim 3.35 #1 (Debian)) id 194BE5-0005Zh-00; Sat, 12 Apr 2003 03:58:53 +0100 | ||||
540 | 1 | 516µs | 2 | 494µs | if (/^\[(${IP_ADDRESS})\] \((.*?)\) by (\S+) /) { # spent 486µs making 1 call to Mail::SpamAssassin::Message::Metadata::CORE:regcomp
# spent 9µs making 1 call to Mail::SpamAssassin::Message::Metadata::CORE:match |
541 | 3 | 10µs | $ip = $1; my $sub = $2; $by = $3; | ||
542 | 1 | 18µs | 1 | 8µs | $sub =~ s/helo=(\S+)// and $helo = $1; # spent 8µs making 1 call to Mail::SpamAssassin::Message::Metadata::CORE:subst |
543 | 1 | 12µs | 1 | 4µs | $sub =~ s/ident=(\S*)// and $ident = $1; # spent 4µs making 1 call to Mail::SpamAssassin::Message::Metadata::CORE:subst |
544 | 1 | 137µs | goto enough; | ||
545 | } | ||||
546 | |||||
547 | # Received: from sc8-sf-list1-b.sourceforge.net ([10.3.1.13] helo=sc8-sf-list1.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian)) id 18t301-0007Bh-00; Wed, 12 Mar 2003 01:58:13 -0800 | ||||
548 | # Received: from dsl092-072-213.bos1.dsl.speakeasy.net ([66.92.72.213] helo=blazing.arsecandle.org) by sc8-sf-list1.sourceforge.net with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 3.31-VA-mm2 #1 (Debian)) id 18lyuU-0007TI-00 for <SpamAssassin-talk@lists.sourceforge.net>; Thu, 20 Feb 2003 14:11:18 -0800 | ||||
549 | # Received: from eclectic.kluge.net ([66.92.69.221] ident=[W9VcNxE2vKxgWHD05PJbLzIHSxcmZQ/O]) by sc8-sf-list1.sourceforge.net with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 3.31-VA-mm2 #1 (Debian)) id 18m0hT-00031I-00 for <spamassassin-talk@lists.sourceforge.net>; Thu, 20 Feb 2003 16:06:00 -0800 | ||||
550 | # Received: from mail.ssccbelen.edu.pe ([216.244.149.154]) by yzordderrex | ||||
551 | # with esmtp (Exim 3.35 #1 (Debian)) id 18tqiz-000702-00 for | ||||
552 | # <jm@example.com>; Fri, 14 Mar 2003 15:03:57 +0000 | ||||
553 | # Received: from server040.webpack.hosteurope.de ([80.237.130.48]:52313) | ||||
554 | # by vps832469583.serverpool.info with esmtps | ||||
555 | # (TLS-1.0:DHE_RSA_3DES_EDE_CBC_SHA:24) (Exim 4.50) id 1GzVLs-0002Oz-7b... | ||||
556 | if (/^(\S+) \(\[(${IP_ADDRESS})\](.*?)\) by (\S+) /) { | ||||
557 | $rdns=$1; $ip = $2; my $sub = $3; $by = $4; | ||||
558 | $helo=$rdns; # default, apparently: bug 5112 | ||||
559 | $sub =~ s/helo=(\S+)// and $helo = $1; | ||||
560 | $sub =~ s/ident=(\S*)// and $ident = $1; | ||||
561 | goto enough; | ||||
562 | } | ||||
563 | |||||
564 | # Received: from boggle.ihug.co.nz [203.109.252.209] by grunt6.ihug.co.nz | ||||
565 | # with esmtp (Exim 3.35 #1 (Debian)) id 18SWRe-0006X6-00; Sun, 29 Dec | ||||
566 | # 2002 18:57:06 +1300 | ||||
567 | if (/^(\S+) \[(${IP_ADDRESS})\](:\d+)? by (\S+) /) { | ||||
568 | $rdns= $1; $ip = $2; $helo = $1; $by = $4; goto enough; | ||||
569 | } | ||||
570 | |||||
571 | # attempt to deal with other odd Exim formats; just match little bits | ||||
572 | # of the header. | ||||
573 | # Received: from helene8.i.pinwand.net (helene.cats.ms) [10.0.8.6.13219] | ||||
574 | # (mail) by lisbeth.i.pinwand.net with esmtp (Exim 3.35 #1 (Debian)) id | ||||
575 | # 1CO5y7-0001vC-00; Sun, 31 Oct 2004 04:01:23 +0100 | ||||
576 | if (/^(\S+) /) { | ||||
577 | $rdns= $1; # assume this is the rDNS, not HELO. is this appropriate? | ||||
578 | } | ||||
579 | if (/ \((\S+)\) /) { | ||||
580 | $helo = $1; | ||||
581 | } | ||||
582 | if (/ \[(${IP_ADDRESS})(?:\.\d+)?\] /) { | ||||
583 | $ip = $1; | ||||
584 | } | ||||
585 | if (/by (\S+) /) { | ||||
586 | $by = $1; | ||||
587 | # now, if we have a "by" and an IP, that's enough for most uses; | ||||
588 | # we have to make do with that. | ||||
589 | if ($ip) { goto enough; } | ||||
590 | } | ||||
591 | |||||
592 | # else it's probably forged. fall through | ||||
593 | } | ||||
594 | |||||
595 | elsif (/ \(Postfix\) with/) { | ||||
596 | # Received: from localhost (unknown [127.0.0.1]) | ||||
597 | # by cabbage.jmason.org (Postfix) with ESMTP id A96E18BD97 | ||||
598 | # for <jm@localhost>; Thu, 13 Mar 2003 15:23:15 -0500 (EST) | ||||
599 | 560 | 28.1ms | 1120 | 12.3ms | if ( /^(\S+) \((\S+) \[(${IP_ADDRESS})\]\) by (\S+) / ) { # spent 6.49ms making 560 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 12µs/call
# spent 5.76ms making 560 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 10µs/call |
600 | 415 | 797µs | $mta_looked_up_dns = 1; | ||
601 | 1660 | 6.11ms | $helo = $1; $rdns = $2; $ip = $3; $by = $4; | ||
602 | 465 | 1.49ms | if ($rdns eq 'unknown') { $rdns = ''; } | ||
603 | 415 | 105ms | goto enough; | ||
604 | } | ||||
605 | |||||
606 | # Received: from 207.8.214.3 (unknown[211.94.164.65]) | ||||
607 | # by puzzle.pobox.com (Postfix) with SMTP id 9029AFB732; | ||||
608 | # Sat, 8 Nov 2003 17:57:46 -0500 (EST) | ||||
609 | # (Pobox.com version: reported in bug 2745) | ||||
610 | 145 | 4.56ms | 290 | 2.67ms | if ( /^(\S+) \((\S+)\[(${IP_ADDRESS})\]\) by (\S+) / ) { # spent 2.05ms making 145 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 14µs/call
# spent 621µs making 145 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
611 | $mta_looked_up_dns = 1; | ||||
612 | $helo = $1; $rdns = $2; $ip = $3; $by = $4; | ||||
613 | if ($rdns eq 'unknown') { $rdns = ''; } | ||||
614 | goto enough; | ||||
615 | } | ||||
616 | } | ||||
617 | |||||
618 | elsif (/\(Scalix SMTP Relay/) { | ||||
619 | # from DPLAPTOP ( 72.242.176.162) by mail.puryear-it.com (Scalix SMTP Relay 10.0.1.3) via ESMTP; Fri, 23 Jun 2006 16:39:47 -0500 (CDT) | ||||
620 | if (/^(\S+) \( ?(${IP_ADDRESS})\) by (\S+)/) { | ||||
621 | $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
622 | } | ||||
623 | } | ||||
624 | |||||
625 | elsif (/ \(Lotus Domino /) { | ||||
626 | # it seems Domino never records the rDNS: bug 5926 | ||||
627 | if (/^(\S+) \(\[(${IP_ADDRESS})\]\) by (\S+) \(Lotus/) { | ||||
628 | $mta_looked_up_dns = 0; | ||||
629 | $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
630 | } | ||||
631 | } | ||||
632 | |||||
633 | # Received: from 217.137.58.28 ([217.137.58.28]) | ||||
634 | # by webmail.ukonline.net (IMP) with HTTP | ||||
635 | # for <anarchyintheuk@localhost>; Sun, 11 Apr 2004 00:31:07 +0100 | ||||
636 | 632 | 8.09ms | 636 | 3.41ms | if (/\bwith HTTP\b/ && # more efficient split up this way # spent 2.43ms making 634 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call
# spent 977µs making 2 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 489µs/call |
637 | /^(${IP_ADDRESS}) \(\[${IP_ADDRESS}\]\) by (\S+)/) | ||||
638 | { | ||||
639 | # some smarty-pants decided to fake a numeric HELO for HTTP | ||||
640 | # no rDNS for this format? | ||||
641 | $ip = $1; $by = $2; goto enough; | ||||
642 | } | ||||
643 | |||||
644 | # MiB: 2003/11/29 Some qmail-ldap headers may be misinterpreted as sendmail-headers | ||||
645 | # resulting in a messed-up interpretation. We have to skip sendmail tests | ||||
646 | # if we find evidence that this is a qmail-ldap header. | ||||
647 | # | ||||
648 | 632 | 14.3ms | 632 | 1.76ms | unless (/ by \S+ \(qmail-\S+\) with /) { # spent 1.76ms making 632 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
649 | # | ||||
650 | # sendmail: | ||||
651 | # Received: from mail1.insuranceiq.com (host66.insuranceiq.com [65.217.159.66] (may be forged)) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id h2F0c2x31856 for <jm@jmason.org>; Sat, 15 Mar 2003 00:38:03 GMT | ||||
652 | # Received: from BAY0-HMR08.adinternal.hotmail.com (bay0-hmr08.bay0.hotmail.com [65.54.241.207]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id h2DBpvs24047 for <webmaster@efi.ie>; Thu, 13 Mar 2003 11:51:57 GMT | ||||
653 | # Received: from ran-out.mx.develooper.com (IDENT:qmailr@one.develooper.com [64.81.84.115]) by dogma.slashnull.org (8.11.6/8.11.6) with SMTP id h381Vvf19860 for <jm-cpan@jmason.org>; Tue, 8 Apr 2003 02:31:57 +0100 | ||||
654 | # from rev.net (natpool62.rev.net [63.148.93.62] (may be forged)) (authenticated) by mail.rev.net (8.11.4/8.11.4) with ESMTP id h0KKa7d32306 for <spamassassin-talk@lists.sourceforge.net> | ||||
655 | # | ||||
656 | 632 | 20.7ms | 1264 | 12.0ms | if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\].*\) by (\S+) \(/) { # spent 6.39ms making 632 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 10µs/call
# spent 5.58ms making 632 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 9µs/call |
657 | 151 | 264µs | $mta_looked_up_dns = 1; | ||
658 | 604 | 1.72ms | $helo = $1; $rdns = $2; $ip = $3; $by = $4; | ||
659 | 151 | 1.47ms | 151 | 435µs | $rdns =~ s/^IDENT:([^\@]*)\@// and $ident = $1; # remove IDENT lookups # spent 435µs making 151 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 3µs/call |
660 | 151 | 1.39ms | 151 | 427µs | $rdns =~ s/^([^\@]*)\@// and $ident = $1; # remove IDENT lookups # spent 427µs making 151 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 3µs/call |
661 | 151 | 18.0ms | goto enough; | ||
662 | } | ||||
663 | } | ||||
664 | |||||
665 | # --------------------------------------------------------------------------- | ||||
666 | |||||
667 | ## OK, AT THIS POINT FORMATS GET A BIT NON-STANDARD | ||||
668 | |||||
669 | # Received: from ns.elcanto.co.kr (66.161.246.58 [66.161.246.58]) by | ||||
670 | # mail.ssccbelen.edu.pe with SMTP (Microsoft Exchange Internet Mail Service | ||||
671 | # Version 5.5.1960.3) id G69TW478; Thu, 13 Mar 2003 14:01:10 -0500 | ||||
672 | 481 | 13.4ms | 962 | 7.41ms | if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\) by (\S+) with \S+ \(/) { # spent 4.31ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 9µs/call
# spent 3.10ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
673 | $mta_looked_up_dns = 1; | ||||
674 | $rdns = $2; $ip = $3; $helo = $1; $by = $4; goto enough; | ||||
675 | } | ||||
676 | |||||
677 | # from mail2.detr.gsi.gov.uk ([51.64.35.18] helo=ahvfw.dtlr.gsi.gov.uk) by mail4.gsi.gov.uk with smtp id 190K1R-0000me-00 for spamassassin-talk-admin@lists.sourceforge.net; Tue, 01 Apr 2003 12:33:46 +0100 | ||||
678 | 481 | 20.8ms | 962 | 7.52ms | if (/^(\S+) \(\[(${IP_ADDRESS})\] helo=(\S+)\) by (\S+) with /) { # spent 5.11ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 11µs/call
# spent 2.41ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
679 | $rdns = $1; $ip = $2; $helo = $3; $by = $4; | ||||
680 | goto enough; | ||||
681 | } | ||||
682 | |||||
683 | # from 12-211-5-69.client.attbi.com (<unknown.domain>[12.211.5.69]) by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <2002112823351305300akl1ue>; Thu, 28 Nov 2002 23:35:13 +0000 | ||||
684 | 481 | 20.6ms | 962 | 7.14ms | if (/^(\S+) \(<unknown\S*>\[(${IP_ADDRESS})\]\) by (\S+) /) { # spent 4.89ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 10µs/call
# spent 2.25ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
685 | $helo = $1; $ip = $2; $by = $3; | ||||
686 | goto enough; | ||||
687 | } | ||||
688 | |||||
689 | # from attbi.com (h000502e08144.ne.client2.attbi.com[24.128.27.103]) by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <20030222193438053008f7tee>; Sat, 22 Feb 2003 19:34:39 +0000 | ||||
690 | 481 | 14.0ms | 962 | 8.37ms | if (/^(\S+) \((\S+\.\S+)\[(${IP_ADDRESS})\]\) by (\S+) /) { # spent 4.92ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 10µs/call
# spent 3.46ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 7µs/call |
691 | $mta_looked_up_dns = 1; | ||||
692 | $helo = $1; $rdns = $2; $ip = $3; $by = $4; | ||||
693 | goto enough; | ||||
694 | } | ||||
695 | |||||
696 | |||||
697 | # Received: from 4wtgRl (kgbxn@[211.244.147.115]) by dogma.slashnull.org (8.11.6/8.11.6) with SMTP id h8BBsUJ18848; Thu, 11 Sep 2003 12:54:31 +0100 | ||||
698 | 481 | 20.4ms | 962 | 8.26ms | if (/^(\S+) \((\S*)\@\[(${IP_ADDRESS})\].*\) by (\S+) \(/) { # spent 4.91ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 10µs/call
# spent 3.35ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 7µs/call |
699 | $mta_looked_up_dns = 1; # this one does. there just wasn't one | ||||
700 | $helo = $1; $ip = $3; $by = $4; | ||||
701 | $ident = $2; | ||||
702 | goto enough; | ||||
703 | } | ||||
704 | |||||
705 | # Received: from 213.123.174.21 by lw11fd.law11.hotmail.msn.com with HTTP; | ||||
706 | # Wed, 24 Jul 2002 16:36:44 GMT | ||||
707 | 481 | 4.79ms | 481 | 1.74ms | if (/by (\S+\.hotmail\.msn\.com) /) { # spent 1.74ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
708 | $by = $1; | ||||
709 | /^(\S+) / and $ip = $1; | ||||
710 | goto enough; | ||||
711 | } | ||||
712 | |||||
713 | # Received: from x71-x56-x24-5.webspeed.dk (HELO niels) (69.96.3.15) by la.mx.develooper.com (qpsmtpd/0.27-dev) with SMTP; Fri, 02 Jan 2004 19:26:52 -0800 | ||||
714 | # Received: from sc8-sf-sshgate.sourceforge.net (HELO sc8-sf-netmisc.sourceforge.net) (66.35.250.220) by la.mx.develooper.com (qpsmtpd/0.27-dev) with ESMTP; Fri, 02 Jan 2004 14:44:41 -0800 | ||||
715 | # Received: from mx10.topofferz.net (HELO ) (69.6.60.10) by blazing.arsecandle.org with SMTP; 3 Mar 2004 20:34:38 -0000 | ||||
716 | 481 | 36.7ms | 962 | 7.37ms | if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \((${IP_ADDRESS})\) by (\S+) \(qpsmtpd\/\S+\) with (?:ESMTP|SMTP)/) { # spent 5.19ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 11µs/call
# spent 2.18ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
717 | $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough; | ||||
718 | } | ||||
719 | |||||
720 | # from dslb-082-083-045-064.pools.arcor-ip.net (EHLO homepc) [82.83.45.64] by mail.gmx.net (mp010) with SMTP; 03 Feb 2007 13:13:47 +0100 | ||||
721 | 481 | 21.7ms | 962 | 8.20ms | if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \[(${IP_ADDRESS})\] by (\S+) \([^\)]+\) with (?:ESMTP|SMTP)/) { # spent 4.89ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 10µs/call
# spent 3.32ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 7µs/call |
722 | $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough; | ||||
723 | } | ||||
724 | |||||
725 | # MiB (Michel Bouissou, 2003/11/16) | ||||
726 | # Moved some tests up because they might match on qmail tests, where this | ||||
727 | # is not qmail | ||||
728 | # | ||||
729 | # Received: from imo-m01.mx.aol.com ([64.12.136.4]) by eagle.glenraven.com | ||||
730 | # via smtpd (for [198.85.87.98]) with SMTP; Wed, 08 Oct 2003 16:25:37 -0400 | ||||
731 | 481 | 13.0ms | 962 | 7.41ms | if (/^(\S+) \(\[(${IP_ADDRESS})\]\) by (\S+) via smtpd \(for \S+\) with SMTP\(/) { # spent 5.05ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 10µs/call
# spent 2.36ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
732 | $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
733 | } | ||||
734 | |||||
735 | # Try to match most of various qmail possibilities | ||||
736 | # | ||||
737 | # General format: | ||||
738 | # Received: from postfix3-2.free.fr (HELO machine.domain.com) (foobar@213.228.0.169) by totor.bouissou.net with SMTP; 14 Nov 2003 08:05:50 -0000 | ||||
739 | # | ||||
740 | # "from (remote.rDNS|unknown)" is always there | ||||
741 | # "(HELO machine.domain.com)" is there only if HELO differs from remote rDNS. | ||||
742 | # HELO may be "" -- ie no string. "HELO" may also be "EHLO". HELO string | ||||
743 | # may be an IP in fmt [1.2.3.4] -- do not strip [ and ], they are important. | ||||
744 | # "foobar@" is remote IDENT info, specified only if ident given by remote | ||||
745 | # Remote IP always appears between (parentheses), with or without IDENT@ | ||||
746 | # "by local.system.domain.com" always appears | ||||
747 | # | ||||
748 | # Protocol can be different from "SMTP", i.e. "RC4-SHA encrypted SMTP" or "QMQP" | ||||
749 | # qmail's reported protocol shouldn't be "ESMTP", so by allowing only "with (.* )(SMTP|QMQP)" | ||||
750 | # we should avoid matching on some sendmailish Received: lines that reports remote IP | ||||
751 | # between ([218.0.185.24]) like qmail-ldap does, but use "with ESMTP". | ||||
752 | # | ||||
753 | # Normally, qmail-smtpd remote IP isn't between square brackets [], but some versions of | ||||
754 | # qmail-ldap seem to add square brackets around remote IP. These versions of qmail-ldap | ||||
755 | # use a longer format that also states the (envelope-sender <sender@domain>) and the | ||||
756 | # qmail-ldap version. Example: | ||||
757 | # Received: from unknown (HELO terpsichore.farfalle.com) (jdavid@[216.254.40.70]) (envelope-sender <jdavid@farfalle.com>) by mail13.speakeasy.net (qmail-ldap-1.03) with SMTP for <jm@jmason.org>; 12 Feb 2003 18:23:19 -0000 | ||||
758 | # | ||||
759 | # Some others of the numerous qmail patches out there can also add variants of their own | ||||
760 | # | ||||
761 | # Received: from 211.245.85.228 (EHLO ) (211.245.85.228) by mta232.mail.scd.yahoo.com with SMTP; Sun, 25 Jan 2004 00:24:37 -0800 | ||||
762 | # | ||||
763 | # bug 4813: make sure that the line doesn't have " id " after the | ||||
764 | # protocol since that's a sendmail line and not qmail ... | ||||
765 | 481 | 56.5ms | 962 | 28.2ms | if (/^\S+( \((?:HELO|EHLO) \S*\))? \((\S+\@)?\[?${IP_ADDRESS}\]?\)( \(envelope-sender <\S+>\))? by \S+( \(.+\))* with (.* )?(SMTP|QMQP)(?! id )/ ) { # spent 23.1ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 48µs/call
# spent 5.14ms making 481 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 11µs/call |
766 | 86 | 19.6ms | 684 | 7.60ms | if (/^(\S+) \((?:HELO|EHLO) ([^ \(\)]*)\) \((\S*)\@\[?(${IP_ADDRESS})\]?\)( \(envelope-sender <\S+>\))? by (\S+)/) { # spent 4.63ms making 342 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 14µs/call
# spent 2.97ms making 342 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 9µs/call |
767 | $rdns = $1; $helo = $2; $ident = $3; $ip = $4; $by = $6; | ||||
768 | } | ||||
769 | elsif (/^(\S+) \((?:HELO|EHLO) ([^ \(\)]*)\) \(\[?(${IP_ADDRESS})\]?\)( \(envelope-sender <\S+>\))? by (\S+)/) { | ||||
770 | 4 | 12µs | $rdns = $1; $helo = $2; $ip = $3; $by = $5; | ||
771 | } | ||||
772 | elsif (/^(\S+) \((\S*)\@\[?(${IP_ADDRESS})\]?\)( \(envelope-sender <\S+>\))? by (\S+)/) { | ||||
773 | # note: absence of HELO means that it matched rDNS in qmail-land | ||||
774 | $helo = $rdns = $1; $ident = $2; $ip = $3; $by = $5; | ||||
775 | } | ||||
776 | elsif (/^(\S+) \(\[?(${IP_ADDRESS})\]?\)( \(envelope-sender <\S+>\))? by (\S+)/) { | ||||
777 | 255 | 1.06ms | $helo = $rdns = $1; $ip = $2; $by = $4; | ||
778 | } | ||||
779 | # qmail doesn't perform rDNS requests by itself, but is usually called | ||||
780 | # by tcpserver or a similar daemon that passes rDNS information to qmail-smtpd. | ||||
781 | # If qmail puts something else than "unknown" in the rDNS field, it means that | ||||
782 | # it received this information from the daemon that called it. If qmail-smtpd | ||||
783 | # writes "Received: from unknown", it means that either the remote has no | ||||
784 | # rDNS, or qmail was called by a daemon that didn't gave the rDNS information. | ||||
785 | 86 | 397µs | if ($rdns ne "unknown") { | ||
786 | 85 | 158µs | $mta_looked_up_dns = 1; | ||
787 | } else { | ||||
788 | 1 | 2µs | $rdns = ''; | ||
789 | } | ||||
790 | 86 | 11.0ms | goto enough; | ||
791 | |||||
792 | } | ||||
793 | # /MiB | ||||
794 | |||||
795 | # Received: from [193.220.176.134] by web40310.mail.yahoo.com via HTTP; | ||||
796 | # Wed, 12 Feb 2003 14:22:21 PST | ||||
797 | 395 | 3.62ms | 395 | 1.06ms | if (/ via HTTP$/&&/^\[(${IP_ADDRESS})\] by (\S+) via HTTP$/) { # spent 1.06ms making 395 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
798 | $ip = $1; $by = $2; goto enough; | ||||
799 | } | ||||
800 | |||||
801 | # Received: from 192.168.5.158 ( [192.168.5.158]) as user jason@localhost by mail.reusch.net with HTTP; Mon, 8 Jul 2002 23:24:56 -0400 | ||||
802 | 395 | 10.9ms | 790 | 6.43ms | if (/^(\S+) \( \[(${IP_ADDRESS})\]\).*? by (\S+) /) { # spent 4.62ms making 395 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 12µs/call
# spent 1.81ms making 395 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
803 | # TODO: is $1 helo? | ||||
804 | $ip = $2; $by = $3; goto enough; | ||||
805 | } | ||||
806 | |||||
807 | # Received: from (64.52.135.194 [64.52.135.194]) by mail.unearthed.com with ESMTP id BQB0hUH2 Thu, 20 Feb 2003 16:13:20 -0700 (PST) | ||||
808 | 395 | 19.3ms | 790 | 6.76ms | if (/^\((\S+) \[(${IP_ADDRESS})\]\) by (\S+) /) { # spent 4.35ms making 395 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 11µs/call
# spent 2.41ms making 395 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
809 | $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
810 | } | ||||
811 | |||||
812 | # Received: from [65.167.180.251] by relent.cedata.com (MessageWall 1.1.0) with SMTP; 20 Feb 2003 23:57:15 -0000 | ||||
813 | 395 | 10.6ms | 790 | 6.01ms | if (/^\[(${IP_ADDRESS})\] by (\S+) /) { # spent 4.28ms making 395 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 11µs/call
# spent 1.74ms making 395 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
814 | 3 | 186µs | $ip = $1; $by = $2; goto enough; | ||
815 | } | ||||
816 | |||||
817 | # from ([172.16.1.78]) by email2.codeworksonline.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Sep 2006 21:14:29 -0400 | ||||
818 | # from (130.215.36.186) by mcafee.wpi.edu via smtp id 021b_7e19a55a_ea7e_11da_83a9_00304811e63a; Tue, 23 May 2006 13:06:35 -0400 | ||||
819 | # from ([172.21.2.10]) by out-relay4.mtahq.org with ESMTP id 4420961.8281; Tue, 22 Aug 2006 17:53:08 -0400 | ||||
820 | 394 | 19.8ms | 788 | 6.50ms | if (/^\(\[?(${IP_ADDRESS})\]?\) by (\S+) /) { # spent 4.32ms making 394 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 11µs/call
# spent 2.18ms making 394 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
821 | 24 | 1.10ms | $ip = $1; $by = $2; goto enough; | ||
822 | } | ||||
823 | |||||
824 | # Received: from acecomms [202.83.84.95] by mailscan.acenet.net.au [202.83.84.27] with SMTP (MDaemon.PRO.v5.0.6.R) for <spamassassin-talk@lists.sourceforge.net>; Fri, 21 Feb 2003 09:32:27 +1000 | ||||
825 | 386 | 10.7ms | 772 | 6.18ms | if (/^(\S+) \[(${IP_ADDRESS})\] by (\S+) \[(\S+)\] with /) { # spent 4.46ms making 386 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 12µs/call
# spent 1.72ms making 386 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
826 | $mta_looked_up_dns = 1; | ||||
827 | $helo = $1; $ip = $2; | ||||
828 | $by = $4; # use the IP addr for "by", more useful? | ||||
829 | goto enough; | ||||
830 | } | ||||
831 | |||||
832 | # Received: from mail.sxptt.zj.cn ([218.0.185.24]) by dogma.slashnull.org | ||||
833 | # (8.11.6/8.11.6) with ESMTP id h2FH0Zx11330 for <webmaster@efi.ie>; | ||||
834 | # Sat, 15 Mar 2003 17:00:41 GMT | ||||
835 | 386 | 13.9ms | 772 | 9.43ms | if (/^(\S+) \(\[(${IP_ADDRESS})\]\) by (\S+) \(/) { # sendmail # spent 4.88ms making 386 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 13µs/call
# spent 4.55ms making 386 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 12µs/call |
836 | 283 | 507µs | $mta_looked_up_dns = 1; | ||
837 | 1132 | 41.1ms | $helo = $1; $ip = $2; $by = $3; goto enough; | ||
838 | } | ||||
839 | |||||
840 | # Received: from umr-mail7.umr.edu (umr-mail7.umr.edu [131.151.1.64]) via ESMTP by mrelay1.cc.umr.edu (8.12.1/) id h06GHYLZ022481; Mon, 6 Jan 2003 10:17:34 -0600 | ||||
841 | # Received: from Agni (localhost [::ffff:127.0.0.1]) (TLS: TLSv1/SSLv3, 168bits,DES-CBC3-SHA) by agni.forevermore.net with esmtp; Mon, 28 Oct 2002 14:48:52 -0800 | ||||
842 | # Received: from gandalf ([4.37.75.131]) (authenticated bits=0) by herald.cc.purdue.edu (8.12.5/8.12.5/herald) with ESMTP id g9JLefrm028228 for <spamassassin-talk@lists.sourceforge.net>; Sat, 19 Oct 2002 16:40:41 -0500 (EST) | ||||
843 | # Received: from bushinternet.com (softdnserr [::ffff:61.99.99.67]) by mail.cs.helsinki.fi with esmtp; Fri, 22 Aug 2003 12:25:41 +0300 | ||||
844 | 103 | 3.81ms | 206 | 2.42ms | if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\).*? by (\S+)\b/) { # sendmail # spent 1.78ms making 103 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 17µs/call
# spent 635µs making 103 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
845 | 3 | 14µs | if ($2 eq 'softdnserr') { | ||
846 | $mta_looked_up_dns = 0; # bug 2326: couriertcpd | ||||
847 | } else { | ||||
848 | 6 | 13µs | $mta_looked_up_dns = 1; $rdns = $2; | ||
849 | } | ||||
850 | 12 | 431µs | $helo = $1; $ip = $3; $by = $4; goto enough; | ||
851 | } | ||||
852 | |||||
853 | # from jsoliday.acs.internap.com ([63.251.66.24.63559]) by | ||||
854 | # mailhost.acs.internap.com with esmtp (v3.35.1) id 1GNrLz-000295-00; | ||||
855 | # Thu, 14 Sep 2006 09:34:07 -0400 | ||||
856 | 100 | 3.91ms | 200 | 2.71ms | if (/^(\S+) \(\[(${IP_ADDRESS})(?:[.:]\d+)?\]\).*? by (\S+) /) { # spent 1.67ms making 100 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 17µs/call
# spent 1.03ms making 100 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 10µs/call |
857 | 45 | 87µs | $mta_looked_up_dns = 1; | ||
858 | 180 | 6.39ms | $helo = $1; $ip = $2; $by = $3; goto enough; | ||
859 | } | ||||
860 | |||||
861 | # Received: from roissy (p573.as1.exs.dublin.eircom.net [159.134.226.61]) | ||||
862 | # (authenticated bits=0) by slate.dublin.wbtsystems.com (8.12.6/8.12.6) | ||||
863 | # with ESMTP id g9MFWcvb068860 for <jm@jmason.org>; | ||||
864 | # Tue, 22 Oct 2002 16:32:39 +0100 (IST) | ||||
865 | 55 | 1.99ms | 110 | 1.38ms | if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\)(?: \(authenticated bits=\d+\))? by (\S+) \(/) { # sendmail # spent 1.07ms making 55 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 19µs/call
# spent 312µs making 55 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
866 | $mta_looked_up_dns = 1; | ||||
867 | $helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough; | ||||
868 | } | ||||
869 | |||||
870 | # Received: from cabbage.jmason.org [127.0.0.1] | ||||
871 | # by localhost with IMAP (fetchmail-5.9.0) | ||||
872 | # for jm@localhost (single-drop); Thu, 13 Mar 2003 20:39:56 -0800 (PST) | ||||
873 | 55 | 527µs | 55 | 206µs | if (/fetchmail/&&/^(\S+) (?:\[(${IP_ADDRESS})\] )?by (\S+) with \S+ \(fetchmail/) { # spent 206µs making 55 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
874 | $self->found_pop_fetcher_sig(); | ||||
875 | return 0; # skip fetchmail handovers | ||||
876 | } | ||||
877 | |||||
878 | # Let's try to support a few qmailish formats in one; | ||||
879 | # http://issues.apache.org/SpamAssassin/show_bug.cgi?id=2744#c14 : | ||||
880 | # Received: from unknown (HELO feux01a-isp) (213.199.4.210) by totor.bouissou.net with SMTP; 1 Nov 2003 07:05:19 -0000 | ||||
881 | # Received: from adsl-207-213-27-129.dsl.lsan03.pacbell.net (HELO merlin.net.au) (Owner50@207.213.27.129) by totor.bouissou.net with SMTP; 10 Nov 2003 06:30:34 -0000 | ||||
882 | 55 | 2.03ms | 110 | 1.43ms | if (/^(\S+) \((?:HELO|EHLO) ([^\)]*)\) \((\S*@)?\[?(${IP_ADDRESS})\]?\).* by (\S+) /) # spent 1.09ms making 55 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 20µs/call
# spent 341µs making 55 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
883 | { | ||||
884 | $mta_looked_up_dns = 1; | ||||
885 | $rdns = $1; | ||||
886 | $helo = $2; | ||||
887 | $ident = (defined $3) ? $3 : ''; | ||||
888 | $ip = $4; | ||||
889 | $by = $5; | ||||
890 | if ($ident) { | ||||
891 | $ident =~ s/\@$//; | ||||
892 | } | ||||
893 | goto enough; | ||||
894 | } | ||||
895 | |||||
896 | # Received: from x1-6-00-04-bd-d2-e0-a3.k317.webspeed.dk (benelli@80.167.158.170) by totor.bouissou.net with SMTP; 5 Nov 2003 23:18:42 -0000 | ||||
897 | 55 | 2.41ms | 110 | 1.72ms | if (/^(\S+) \((\S*@)?\[?(${IP_ADDRESS})\]?\).* by (\S+) /) # spent 1.04ms making 55 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 19µs/call
# spent 677µs making 55 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 12µs/call |
898 | { | ||||
899 | 15 | 28µs | $mta_looked_up_dns = 1; | ||
900 | # bug 2744 notes that if HELO == rDNS, qmail drops it. | ||||
901 | 45 | 126µs | $rdns = $1; $helo = $rdns; $ident = (defined $2) ? $2 : ''; | ||
902 | 30 | 83µs | $ip = $3; $by = $4; | ||
903 | 15 | 31µs | if ($ident) { $ident =~ s/\@$//; } | ||
904 | 15 | 2.11ms | goto enough; | ||
905 | } | ||||
906 | |||||
907 | # Received: from [129.24.215.125] by ws1-7.us4.outblaze.com with http for | ||||
908 | # _bushisevil_@mail.com; Thu, 13 Feb 2003 15:59:28 -0500 | ||||
909 | 40 | 380µs | 40 | 141µs | if (/ with http for /&&/^\[(${IP_ADDRESS})\] by (\S+) with http for /) { # spent 141µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
910 | $ip = $1; $by = $2; goto enough; | ||||
911 | } | ||||
912 | |||||
913 | # Received: from po11.mit.edu [18.7.21.73] | ||||
914 | # by stark.dyndns.tv with POP3 (fetchmail-5.9.7) | ||||
915 | # for stark@localhost (single-drop); Tue, 18 Feb 2003 10:43:09 -0500 (EST) | ||||
916 | # by po11.mit.edu (Cyrus v2.1.5) with LMTP; Tue, 18 Feb 2003 09:49:46 -0500 | ||||
917 | 40 | 369µs | 40 | 124µs | if (/ with POP3 /&&/^(\S+) \[(${IP_ADDRESS})\] by (\S+) with POP3 /) { # spent 124µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
918 | $rdns = $1; $ip = $2; $by = $3; goto enough; | ||||
919 | } | ||||
920 | |||||
921 | # Received: from snake.corp.yahoo.com(216.145.52.229) by x.x.org via smap (V1.3) | ||||
922 | # id xma093673; Wed, 26 Mar 03 20:43:24 -0600 | ||||
923 | 40 | 364µs | 40 | 118µs | if (/ via smap /&&/^(\S+)\((${IP_ADDRESS})\) by (\S+) via smap /) { # spent 118µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
924 | $mta_looked_up_dns = 1; | ||||
925 | $rdns = $1; $ip = $2; $by = $3; goto enough; | ||||
926 | } | ||||
927 | |||||
928 | # Received: from smtp.greyware.com(208.14.208.51, HELO smtp.sff.net) by x.x.org via smap (V1.3) | ||||
929 | # id xma002908; Fri, 27 Feb 04 14:16:56 -0800 | ||||
930 | 40 | 1.50ms | 80 | 1.05ms | if (/^(\S+)\((${IP_ADDRESS}), (?:HELO|EHLO) (\S*)\) by (\S+) via smap /) { # spent 899µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 22µs/call
# spent 151µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
931 | $mta_looked_up_dns = 1; | ||||
932 | $rdns = $1; $ip = $2; $helo = $3; $by = $4; goto enough; | ||||
933 | } | ||||
934 | |||||
935 | # Received: from [192.168.0.71] by web01-nyc.clicvu.com (Post.Office MTA | ||||
936 | # v3.5.3 release 223 ID# 0-64039U1000L100S0V35) with SMTP id com for | ||||
937 | # <x@x.org>; Tue, 25 Mar 2003 11:42:04 -0500 | ||||
938 | 40 | 890µs | 42 | 615µs | if (/ \(Post/&&/^\[(${IP_ADDRESS})\] by (\S+) \(Post/) { # spent 470µs making 1 call to Mail::SpamAssassin::Message::Metadata::CORE:regcomp
# spent 146µs making 41 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
939 | $ip = $1; $by = $2; goto enough; | ||||
940 | } | ||||
941 | |||||
942 | # Received: from [127.0.0.1] by euphoria (ArGoSoft Mail Server | ||||
943 | # Freeware, Version 1.8 (1.8.2.5)); Sat, 8 Feb 2003 09:45:32 +0200 | ||||
944 | 40 | 366µs | 40 | 127µs | if (/ \(ArGoSoft/&&/^\[(${IP_ADDRESS})\] by (\S+) \(ArGoSoft/) { # spent 127µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
945 | $ip = $1; $by = $2; goto enough; | ||||
946 | } | ||||
947 | |||||
948 | # Received: from 157.54.8.23 by inet-vrs-05.redmond.corp.microsoft.com | ||||
949 | # (InterScan E-Mail VirusWall NT); Thu, 06 Mar 2003 12:02:35 -0800 | ||||
950 | # Received: from 10.165.130.62 by CNNIMAIL12.CNN.COM (SMTPL release 1.0d) with TCP; Fri, 1 Sep 2006 20:28:14 -0400 | ||||
951 | 40 | 1.83ms | 80 | 1.35ms | if (/^(${IP_ADDRESS}) by (\S+) \((?:SMTPL|InterScan)\b/) { # spent 976µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 24µs/call
# spent 377µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 9µs/call |
952 | $ip = $1; $by = $2; goto enough; | ||||
953 | } | ||||
954 | |||||
955 | # Received: from faerber.muc.de by slarti.muc.de with BSMTP (rsmtp-qm-ot 0.4) | ||||
956 | # for asrg@ietf.org; 7 Mar 2003 21:10:38 -0000 | ||||
957 | 40 | 361µs | 40 | 119µs | if (/ with BSMTP/&&/^\S+ by \S+ with BSMTP/) { # spent 119µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
958 | return 0; # BSMTP != a TCP/IP handover, ignore it | ||||
959 | } | ||||
960 | |||||
961 | # Received: from spike (spike.ig.co.uk [193.32.60.32]) by mail.ig.co.uk with | ||||
962 | # SMTP id h27CrCD03362 for <asrg@ietf.org>; Fri, 7 Mar 2003 12:53:12 GMT | ||||
963 | 40 | 1.62ms | 80 | 1.18ms | if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\) by (\S+) with /) { # spent 1.02ms making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 25µs/call
# spent 161µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
964 | $mta_looked_up_dns = 1; | ||||
965 | $helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough; | ||||
966 | } | ||||
967 | |||||
968 | # Received: from customer254-217.iplannetworks.net (HELO AGAMENON) | ||||
969 | # (baldusi@200.69.254.217 with plain) by smtp.mail.vip.sc5.yahoo.com with | ||||
970 | # SMTP; 11 Mar 2003 21:03:28 -0000 | ||||
971 | 40 | 449µs | 40 | 212µs | if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \((\S+).*?\) by (\S+) with /) { # spent 212µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
972 | $mta_looked_up_dns = 1; | ||||
973 | $rdns = $1; $helo = $2; $ip = $3; $by = $4; | ||||
974 | $ip =~ s/([^\@]*)\@//g and $ident = $1; # remove IDENT lookups | ||||
975 | goto enough; | ||||
976 | } | ||||
977 | |||||
978 | # Received: from [192.168.1.104] (account nazgul HELO [192.168.1.104]) | ||||
979 | # by somewhere.com (CommuniGate Pro SMTP 3.5.7) with ESMTP-TLS id 2088434; | ||||
980 | # Fri, 07 Mar 2003 13:05:06 -0500 | ||||
981 | 40 | 1.64ms | 80 | 1.19ms | if (/^\[(${IP_ADDRESS})\] \((?:account \S+ )?(?:HELO|EHLO) (\S*)\) by (\S+) \(/) { # spent 965µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 24µs/call
# spent 224µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
982 | $ip = $1; $helo = $2; $by = $3; goto enough; | ||||
983 | } | ||||
984 | |||||
985 | # Received: from host.example.com ([192.0.2.1] verified) | ||||
986 | # by mail.example.net (CommuniGate Pro SMTP 5.1.13) | ||||
987 | # with ESMTP id 9786656 for user@example.net; Thu, 27 Mar 2008 15:08:17 +0600 | ||||
988 | 40 | 379µs | 40 | 152µs | if (/ \(CommuniGate Pro/ && /^(\S+) \(\[(${IP_ADDRESS})\] verified\) by (\S+) \(/) { # spent 152µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
989 | $mta_looked_up_dns = 1; | ||||
990 | $rdns = $1; $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
991 | } | ||||
992 | |||||
993 | # Received: from ([10.0.0.6]) by mail0.ciphertrust.com with ESMTP ; Thu, | ||||
994 | # 13 Mar 2003 06:26:21 -0500 (EST) | ||||
995 | 40 | 1.51ms | 80 | 1.07ms | if (/^\(\[(${IP_ADDRESS})\]\) by (\S+) with /) { # spent 909µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 23µs/call
# spent 164µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
996 | $ip = $1; $by = $2; goto enough; | ||||
997 | } | ||||
998 | |||||
999 | # Received: from ironport.com (10.1.1.5) by a50.ironport.com with ESMTP; 01 Apr 2003 12:00:51 -0800 | ||||
1000 | # Received: from dyn-81-166-39-132.ppp.tiscali.fr (81.166.39.132) by cpmail.dk.tiscali.com (6.7.018) | ||||
1001 | 40 | 1.58ms | 80 | 1.15ms | if (/^([^\d]\S+) \((${IP_ADDRESS})\) by (\S+) /) { # spent 908µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 23µs/call
# spent 237µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
1002 | $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
1003 | } | ||||
1004 | |||||
1005 | # Received: from scv3.apple.com (scv3.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T61095998e1118164e13f8@mailgate2.apple.com>; Mon, 17 Mar 2003 17:04:54 -0800 | ||||
1006 | # bug 4704: Only let this match Content Technologies so it stops breaking things that come after it by matching first | ||||
1007 | 40 | 373µs | 40 | 144µs | if (/^\S+ \(\S+\) by \S+ \(Content Technologies /) { # spent 144µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1008 | return 0; # useless without the $ip anyway! | ||||
1009 | } | ||||
1010 | |||||
1011 | # Received: from 01al10015010057.ad.bls.com ([90.152.5.141] [90.152.5.141]) | ||||
1012 | # by aismtp3g.bls.com with ESMTP; Mon, 10 Mar 2003 11:10:41 -0500 | ||||
1013 | 40 | 356µs | 40 | 125µs | if (/^(\S+) \(\[(\S+)\] \[(\S+)\]\) by (\S+) with /) { # spent 125µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1014 | # not sure what $3 is ;) | ||||
1015 | $helo = $1; $ip = $2; $by = $4; | ||||
1016 | goto enough; | ||||
1017 | } | ||||
1018 | |||||
1019 | # Received: from 206.47.0.153 by dm3cn8.bell.ca with ESMTP (Tumbleweed MMS | ||||
1020 | # SMTP Relay (MMS v5.0)); Mon, 24 Mar 2003 19:49:48 -0500 | ||||
1021 | 40 | 1.86ms | 80 | 1.40ms | if (/^(${IP_ADDRESS}) by (\S+) with /) { # spent 956µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 24µs/call
# spent 442µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 11µs/call |
1022 | $ip = $1; $by = $2; | ||||
1023 | goto enough; | ||||
1024 | } | ||||
1025 | |||||
1026 | # Received: from pobox.com (h005018086b3b.ne.client2.attbi.com[66.31.45.164]) | ||||
1027 | # by rwcrmhc53.attbi.com (rwcrmhc53) with SMTP id <2003031302165605300suph7e>; | ||||
1028 | # Thu, 13 Mar 2003 02:16:56 +0000 | ||||
1029 | 40 | 1.47ms | 80 | 1.01ms | if (/^(\S+) \((\S+)\[(${IP_ADDRESS})\]\) by (\S+) /) { # spent 867µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 22µs/call
# spent 140µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1030 | $mta_looked_up_dns = 1; | ||||
1031 | $helo = $1; $rdns = $2; $ip = $3; $by = $4; goto enough; | ||||
1032 | } | ||||
1033 | |||||
1034 | # Received: from [10.128.128.81]:50999 (HELO dfintra.f-secure.com) by fsav4im2 ([10.128.128.74]:25) (F-Secure Anti-Virus for Internet Mail 6.0.34 Release) with SMTP; Tue, 5 Mar 2002 14:11:53 -0000 | ||||
1035 | 40 | 1.56ms | 80 | 1.10ms | if (/^\[(${IP_ADDRESS})\]\S+ \((?:HELO|EHLO) (\S*)\) by (\S+) /) { # spent 861µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 22µs/call
# spent 237µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
1036 | $ip = $1; $helo = $2; $by = $3; goto enough; | ||||
1037 | } | ||||
1038 | |||||
1039 | # Received: from 62.180.7.250 (HELO daisy) by smtp.altavista.de (209.228.22.152) with SMTP; 19 Sep 2002 17:03:17 +0000 | ||||
1040 | 40 | 1.74ms | 80 | 1.30ms | if (/^(${IP_ADDRESS}) \((?:HELO|EHLO) (\S*)\) by (\S+) /) { # spent 996µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 25µs/call
# spent 300µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 8µs/call |
1041 | $ip = $1; $helo = $2; $by = $3; goto enough; | ||||
1042 | } | ||||
1043 | |||||
1044 | # Received: from oemcomputer [63.232.189.195] by highstream.net (SMTPD32-7.07) id A4CE7F2A0028; Sat, 01 Feb 2003 21:39:10 -0500 | ||||
1045 | 40 | 1.47ms | 80 | 1.05ms | if (/^(\S+) \[(${IP_ADDRESS})\] by (\S+) /) { # spent 884µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 22µs/call
# spent 163µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1046 | $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
1047 | } | ||||
1048 | |||||
1049 | # from nodnsquery(192.100.64.12) by herbivore.monmouth.edu via csmap (V4.1) id srcAAAyHaywy | ||||
1050 | 40 | 1.49ms | 80 | 1.04ms | if (/^(\S+)\((${IP_ADDRESS})\) by (\S+) /) { # spent 873µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 22µs/call
# spent 165µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1051 | $rdns = $1; $ip = $2; $by = $3; goto enough; | ||||
1052 | } | ||||
1053 | |||||
1054 | # Received: from [192.168.0.13] by <server> (MailGate 3.5.172) with SMTP; | ||||
1055 | # Tue, 1 Apr 2003 15:04:55 +0100 | ||||
1056 | 40 | 1.49ms | 80 | 1.05ms | if (/^\[(${IP_ADDRESS})\] by (\S+) \(MailGate /) { # spent 916µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 23µs/call
# spent 138µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1057 | $ip = $1; $by = $2; goto enough; | ||||
1058 | } | ||||
1059 | |||||
1060 | # Received: from jmason.org (unverified [195.218.107.131]) by ni-mail1.dna.utvinternet.net <B0014212518@ni-mail1.dna.utvinternet.net>; Tue, 11 Feb 2003 12:18:12 +0000 | ||||
1061 | 40 | 1.52ms | 80 | 1.08ms | if (/^(\S+) \(unverified \[(${IP_ADDRESS})\]\) by (\S+) /) { # spent 955µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 24µs/call
# spent 129µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1062 | $helo = $1; $ip = $2; $by = $3; goto enough; | ||||
1063 | } | ||||
1064 | |||||
1065 | # # from 165.228.131.11 (proxying for 139.130.20.189) (SquirrelMail authenticated user jmmail) by jmason.org with HTTP | ||||
1066 | # if (/^from (\S+) \(proxying for (${IP_ADDRESS})\) \([A-Za-z][^\)]+\) by (\S+) with /) { | ||||
1067 | # $ip = $2; $by = $3; goto enough; | ||||
1068 | # } | ||||
1069 | 40 | 1.98ms | 80 | 1.47ms | if (/^(${IP_ADDRESS}) \([A-Za-z][^\)]+\) by (\S+) with /) { # spent 1.01ms making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 25µs/call
# spent 465µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 12µs/call |
1070 | $ip = $1; $by = $2; goto enough; | ||||
1071 | } | ||||
1072 | |||||
1073 | # Received: from [212.87.144.30] (account seiz [212.87.144.30] verified) by x.imd.net (CommuniGate Pro SMTP 4.0.3) with ESMTP-TLS id 5026665 for spamassassin-talk@lists.sourceforge.net; Wed, 15 Jan 2003 16:27:05 +0100 | ||||
1074 | # bug 4704 This pattern was checked as just an Exim format, but it does exist elsewhere | ||||
1075 | # Received: from [206.51.230.145] (helo=t-online.de) | ||||
1076 | # by mxeu2.kundenserver.de with ESMTP (Nemesis), | ||||
1077 | # id 0MKpdM-1CkRpr14PF-000608; Fri, 31 Dec 2004 19:49:15 +0100 | ||||
1078 | # Received: from [218.19.142.229] (helo=hotmail.com ident=yiuhyotp) | ||||
1079 | # by yzordderrex with smtp (Exim 3.35 #1 (Debian)) id 194BE5-0005Zh-00; Sat, 12 Apr 2003 03:58:53 +0100 | ||||
1080 | 40 | 1.54ms | 80 | 1.08ms | if (/^\[(${IP_ADDRESS})\] \(([^\)]+)\) by (\S+) /) { # spent 873µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 22µs/call
# spent 202µs making 40 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
1081 | 12 | 44µs | $ip = $1; my $sub = $2; $by = $3; | ||
1082 | 4 | 78µs | 4 | 34µs | $sub =~ s/helo=(\S+)// and $helo = $1; # spent 34µs making 4 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 9µs/call |
1083 | 4 | 40µs | 4 | 13µs | $sub =~ s/ident=(\S*)// and $ident = $1; # spent 13µs making 4 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 3µs/call |
1084 | 4 | 580µs | goto enough; | ||
1085 | } | ||||
1086 | |||||
1087 | # Received: from mtsbp606.email-info.net (?dXqpg3b0hiH9faI2OxLT94P/YKDD3rQ1?@64.253.199.166) by kde.informatik.uni-kl.de with SMTP; 30 Apr 2003 15:06:29 | ||||
1088 | 36 | 1.51ms | 72 | 1.10ms | if (/^(\S+) \((?:\S+\@)?(${IP_ADDRESS})\) by (\S+) with /) { # spent 849µs making 36 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 24µs/call
# spent 253µs making 36 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 7µs/call |
1089 | $rdns = $1; $ip = $2; $by = $3; goto enough; | ||||
1090 | } | ||||
1091 | |||||
1092 | # Obtuse smtpd: http://www.obtuse.com/ | ||||
1093 | # Received: from TCE-E-7-182-54.bta.net.cn(202.106.182.54) via SMTP | ||||
1094 | # by st.tahina.priv.at, id smtpdEDUB8h; Sun Nov 13 14:50:12 2005 | ||||
1095 | # Received: from pl027.nas934.d-osaka.nttpc.ne.jp(61.197.82.27), claiming to be "foo.woas.net" via SMTP | ||||
1096 | # by st.tahina.priv.at, id smtpd1PBsZT; Sun Nov 13 15:38:52 2005 | ||||
1097 | 36 | 1.39ms | 72 | 999µs | if (/^(\S+)\((${IP_ADDRESS})\)(?:, claiming to be "(\S+)")? via \S+ by (\S+),/) { # spent 862µs making 36 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 24µs/call
# spent 137µs making 36 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1098 | $rdns = $1; $ip = $2; $helo = (defined $3) ? $3 : ''; $by = $4; | ||||
1099 | if ($1 ne 'UNKNOWN') { | ||||
1100 | $mta_looked_up_dns = 1; | ||||
1101 | $rdns = $1; | ||||
1102 | } | ||||
1103 | goto enough; | ||||
1104 | } | ||||
1105 | |||||
1106 | # Yahoo Authenticated SMTP; Bug #6535 | ||||
1107 | # from itrqtnlnq (lucilleskinner@93.124.107.183 with login) by smtp111.mail.ne1.yahoo.com with SMTP; 17 Jan 2011 08:23:27 -0800 PST | ||||
1108 | 36 | 1.41ms | 72 | 1.02ms | if (/^(\S+) \((\S+)@(${IP_ADDRESS}) with login\) by (\S+\.yahoo\.com) with SMTP/) { # spent 890µs making 36 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 25µs/call
# spent 129µs making 36 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1109 | $helo = $1; $ip = $3; $by = $4; goto enough; | ||||
1110 | } | ||||
1111 | |||||
1112 | # a synthetic header, generated internally: | ||||
1113 | # Received: X-Originating-IP: 1.2.3.4 | ||||
1114 | 36 | 386µs | 36 | 146µs | if (/^X-Originating-IP: (\S+)$/) { # spent 146µs making 36 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1115 | 24 | 1.25ms | $ip = $1; $by = ''; goto enough; | ||
1116 | } | ||||
1117 | |||||
1118 | ## STUFF TO IGNORE ## | ||||
1119 | |||||
1120 | # Received: from raptor.research.att.com (bala@localhost) by | ||||
1121 | # raptor.research.att.com (SGI-8.9.3/8.8.7) with ESMTP id KAA14788 | ||||
1122 | # for <asrg@example.com>; Fri, 7 Mar 2003 10:37:56 -0500 (EST) | ||||
1123 | # make this localhost-specific, so we know it's safe to ignore | ||||
1124 | 28 | 960µs | 56 | 676µs | if (/^\S+ \([^\s\@]+\@${LOCALHOST}\) by \S+ \(/) { return 0; } # spent 546µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 19µs/call
# spent 131µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
1125 | |||||
1126 | # from paul (helo=felix) by felix.peema.org with local-esmtp (Exim 4.43) | ||||
1127 | # id 1Ccq0j-0002k2-Lk; Fri, 10 Dec 2004 19:01:01 +0000 | ||||
1128 | # Exim doco says this is local submission, cf switch -oMr | ||||
1129 | 28 | 266µs | 28 | 106µs | if (/^\S+ \S+ by \S+ with local-e?smtp /) { return 0; } # spent 106µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1130 | |||||
1131 | # from 127.0.0.1 (AVG SMTP 7.0.299 [265.6.8]); Wed, 05 Jan 2005 15:06:48 -0800 | ||||
1132 | 28 | 260µs | 28 | 87µs | if (/^127\.0\.0\.1 \(AVG SMTP \S+ \[\S+\]\)/) { return 0; } # spent 87µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1133 | |||||
1134 | # from qmail-scanner-general-admin@lists.sourceforge.net by alpha by uid 7791 with qmail-scanner-1.14 (spamassassin: 2.41. Clear:SA:0(-4.1/5.0):. Processed in 0.209512 secs) | ||||
1135 | 28 | 260µs | 28 | 91µs | if (/^\S+\@\S+ by \S+ by uid \S+ /) { return 0; } # spent 91µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1136 | |||||
1137 | # Received: from DSmith1204@aol.com by imo-m09.mx.aol.com (mail_out_v34.13.) id 7.53.208064a0 (4394); Sat, 11 Jan 2003 23:24:31 -0500 (EST) | ||||
1138 | 28 | 317µs | 28 | 146µs | if (/^\S+\@\S+ by \S+ /) { return 0; } # spent 146µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
1139 | |||||
1140 | # Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Fri, 17 Jan 2003 15:23:29 -0000 | ||||
1141 | 28 | 260µs | 28 | 72µs | if (/^Unknown\/Local \(/) { return 0; } # spent 72µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1142 | |||||
1143 | # Received: from localhost (mailnull@localhost) by x.org (8.12.6/8.9.3) | ||||
1144 | # with SMTP id h2R2iivG093740; Wed, 26 Mar 2003 20:44:44 -0600 | ||||
1145 | # (CST) (envelope-from x@x.org) | ||||
1146 | # Received: from localhost (localhost [127.0.0.1]) (uid 500) by mail with local; Tue, 07 Jan 2003 11:40:47 -0600 | ||||
1147 | 28 | 1.43ms | 56 | 1.11ms | if (/^${LOCALHOST} \((?:\S+\@)?${LOCALHOST}[\)\[]/) { return 0; } # spent 966µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 34µs/call
# spent 144µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
1148 | |||||
1149 | # Received: from olgisoft.com (127.0.0.1) by 127.0.0.1 (EzMTS MTSSmtp | ||||
1150 | # 1.55d5) ; Thu, 20 Mar 03 10:06:43 +0100 for <asrg@ietf.org> | ||||
1151 | 28 | 834µs | 56 | 516µs | if (/^\S+ \((?:\S+\@)?${LOCALHOST}\) /) { return 0; } # spent 344µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 12µs/call
# spent 172µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
1152 | |||||
1153 | # Received: from casper.ghostscript.com (raph@casper [127.0.0.1]) h148aux8016336verify=FAIL); Tue, 4 Feb 2003 00:36:56 -0800 | ||||
1154 | 28 | 850µs | 56 | 524µs | if (/^\S+ \(\S+\@\S+ \[${LOCALHOST}\]\) /) { return 0; } # spent 411µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 15µs/call
# spent 113µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1155 | |||||
1156 | # Received: from (AUTH: e40a9cea) by vqx.net with esmtp (courier-0.40) for <asrg@ietf.org>; Mon, 03 Mar 2003 14:49:28 +0000 | ||||
1157 | 28 | 238µs | 28 | 84µs | if (/^\(AUTH: \S+\) by \S+ with /) { return 0; } # spent 84µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1158 | |||||
1159 | # from localhost (localhost [[UNIX: localhost]]) by home.barryodonovan.com | ||||
1160 | # (8.12.11/8.12.11/Submit) id iBADHRP6011034; Fri, 10 Dec 2004 13:17:27 GMT | ||||
1161 | 28 | 256µs | 28 | 90µs | if (/^localhost \(localhost \[\[UNIX: localhost\]\]\) by /) { return 0; } # spent 90µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1162 | |||||
1163 | # Internal Amazon traffic | ||||
1164 | # Received: from dc-mail-3102.iad3.amazon.com by mail-store-2001.amazon.com with ESMTP (peer crosscheck: dc-mail-3102.iad3.amazon.com) | ||||
1165 | 28 | 243µs | 28 | 79µs | if (/^\S+\.amazon\.com by \S+\.amazon\.com with ESMTP \(peer crosscheck: /) { return 0; } # spent 79µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1166 | |||||
1167 | # Received: from GWGC6-MTA by gc6.jefferson.co.us with Novell_GroupWise; Tue, 30 Nov 2004 10:09:15 -0700 | ||||
1168 | 28 | 268µs | 28 | 85µs | if (/^[^\.]+ by \S+ with Novell_GroupWise/) { return 0; } # spent 85µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1169 | |||||
1170 | # Received: from no.name.available by [165.224.43.143] via smtpd (for [165.224.216.89]) with ESMTP; Fri, 28 Jan 2005 13:06:39 -0500 | ||||
1171 | # Received: from no.name.available by [165.224.216.88] via smtpd (for lists.sourceforge.net [66.35.250.206]) with ESMTP; Fri, 28 Jan 2005 15:42:30 -0500 | ||||
1172 | # These are from an internal host protected by a Raptor firewall, to hosts | ||||
1173 | # outside the firewall. We can only ignore the handover since we don't have | ||||
1174 | # enough info in those headers; however, from googling, it appears that | ||||
1175 | # all samples are cases where the handover is safely ignored. | ||||
1176 | 28 | 244µs | 28 | 71µs | if (/^no\.name\.available by \S+ via smtpd \(for /) { return 0; } # spent 71µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1177 | |||||
1178 | # from 156.56.111.196 by blazing.arsecandle.org (envelope-from <gentoo-announce-return-530-rod=arsecandle.org@lists.gentoo.org>, uid 502) with qmail-scanner-1.24 (clamdscan: 0.80/594. f-prot: 4.4.2/3.14.11. Clear:RC:0(156.56.111.196):. Processed in 0.288806 secs); 06 Feb 2005 21:11:38 -0000 | ||||
1179 | # these are safe to ignore. the previous handover line has the full | ||||
1180 | # details of the handover described here, it's just qmail-scanner | ||||
1181 | # logging a little more. | ||||
1182 | 28 | 259µs | 28 | 89µs | if (/^\S+ by \S+ \(.{0,100}\) with qmail-scanner/) { # spent 89µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1183 | $envfrom =~ s/^\s*<*//gs; $envfrom =~ s/>*\s*$//gs; | ||||
1184 | $envfrom =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs; | ||||
1185 | $self->{qmail_scanner_env_from} = $envfrom; # hack! | ||||
1186 | return 0; | ||||
1187 | } | ||||
1188 | |||||
1189 | # Received: from mmail by argon.connect.org.uk with local (connectmail/exim) | ||||
1190 | # id 18tOsg-0008FX-00; Thu, 13 Mar 2003 09:20:06 +0000 | ||||
1191 | 28 | 255µs | 28 | 90µs | if (/^\S+ by \S+ with local/) { return 0; } # spent 90µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1192 | |||||
1193 | # HANDOVERS WE KNOW WE CAN'T DEAL WITH: TCP transmission, but to MTAs that | ||||
1194 | # just don't log enough info for us to use (ie. no IP address present). | ||||
1195 | # Note: "return 0" is strongly recommended here, unless you're sure | ||||
1196 | # the regexp won't match something in the field; otherwise ALL_TRUSTED may | ||||
1197 | # fire even in the presence of an unparseable Received header. | ||||
1198 | |||||
1199 | # Received: from CATHY.IJS.SI by CATHY.IJS.SI (PMDF V4.3-10 #8779) id <01KTSSR50NSW001MXN@CATHY.IJS.SI>; Fri, 21 Mar 2003 20:50:56 +0100 | ||||
1200 | # Received: from MATT_LINUX by hippo.star.co.uk via smtpd (for mail.webnote.net [193.120.211.219]) with SMTP; 3 Jul 2002 15:43:50 UT | ||||
1201 | # Received: from cp-its-ieg01.mail.saic.com by cpmx.mail.saic.com for me@jmason.org; Tue, 23 Jul 2002 14:09:10 -0700 | ||||
1202 | 37 | 760µs | 28 | 189µs | if (/^\S+ by \S+ (?:with|via|for|\()/) { return 0; } # spent 189µs making 28 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 7µs/call |
1203 | |||||
1204 | # from senmail2.senate.gov with LMTP by senmail2 (3.0.2/sieved-3-0-build-942) for <example@vandinter.org>; Fri, 30 Jun 2006 10:58:41 -0400 | ||||
1205 | # from zimbramail.artsit.org.uk (unverified) by MAILSWEEP.birminghamartsit.org.uk (Clearswift SMTPRS 5.1.7) with ESMTP id <T78926b35f2c0a80003da8@MAILSWEEP.birminghamartsit.org.uk> for <discuss@lists.surbl.org>; Tue, 30 May 2006 15:56:15 +0100 | ||||
1206 | 19 | 221µs | 19 | 97µs | if (/^\S+ (?:(?:with|via|for) \S+|\(unverified\)) by\b/) { return 0; } # spent 97µs making 19 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 5µs/call |
1207 | |||||
1208 | # from DL1GSPMX02 (dl1gspmx02.gamestop.com) by email.ebgames.com (LSMTP for Windows NT v1.1b) with SMTP id <21.000575A0@email.ebgames.com>; Tue, 12 Sep 2006 21:06:43 -0500 | ||||
1209 | 19 | 178µs | 19 | 63µs | if (/\(LSMTP for/) { return 0; } # spent 63µs making 19 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 3µs/call |
1210 | |||||
1211 | # if at this point we still haven't figured out the HELO string, see if we | ||||
1212 | # can't just guess | ||||
1213 | 31 | 644µs | 12 | 67µs | if (!$helo && /^(\S+)[^-A-Za-z0-9\.]/) { $helo = $1; } # spent 67µs making 12 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 6µs/call |
1214 | } | ||||
1215 | |||||
1216 | # --------------------------------------------------------------------------- | ||||
1217 | |||||
1218 | elsif (s/^FROM //) { | ||||
1219 | # simta: http://rsug.itd.umich.edu/software/simta/ | ||||
1220 | # Note the ugly uppercase FROM/BY/ID | ||||
1221 | # Received: FROM hackers.mr.itd.umich.edu (smtp.mail.umich.edu [141.211.14.81]) | ||||
1222 | # BY madman.mr.itd.umich.edu ID 434B508E.174A6.13932 ; 11 Oct 2005 01:41:34 -0400 | ||||
1223 | # Received: FROM [192.168.1.24] (s233-64-90-216.try.wideopenwest.com [64.233.216.90]) | ||||
1224 | # BY hackers.mr.itd.umich.edu ID 434B5051.8CDE5.15436 ; 11 Oct 2005 01:40:33 -0400 | ||||
1225 | if (/^(\S+) \((\S+) \[(${IP_ADDRESS})\]\) BY (\S+) ID (\S+)$/ ) { | ||||
1226 | $mta_looked_up_dns = 1; | ||||
1227 | $helo = $1; $rdns = $2; $ip = $3; $by = $4; $id = $5; | ||||
1228 | goto enough; | ||||
1229 | } | ||||
1230 | } | ||||
1231 | |||||
1232 | # --------------------------------------------------------------------------- | ||||
1233 | |||||
1234 | elsif (s/^\(from //) { | ||||
1235 | # Norton AntiVirus Gateway | ||||
1236 | # Received: (from localhost [24.180.47.240]) | ||||
1237 | # by host.name (NAVGW 2.5.2.12) with SMTP id M2006060503484615455 | ||||
1238 | # for <user@domain.co.uk>; Mon, 05 Jun 2006 03:48:47 +0100 | ||||
1239 | if (/^(\S*) \[(${IP_ADDRESS})\]\) by (\S+) \(NAVGW .*?\) with /) { | ||||
1240 | $helo = $1; $ip = $2; $by = $3; | ||||
1241 | goto enough; | ||||
1242 | } | ||||
1243 | |||||
1244 | # header produced by command line /usr/bin/sendmail -t -f username@example.com | ||||
1245 | # Received: (from username@localhost) by home.example.com | ||||
1246 | # (8.12.11/8.12.11/Submit) id iBADHRP6011034; Fri, 10 Dec 2004 13:17:27 GMT | ||||
1247 | if (/^\S+\@localhost\) by \S+ /) { return 0; } | ||||
1248 | |||||
1249 | # Received: (from vashugins@juno.com) by m06.lax.untd.com (jqueuemail) id LRVB3JAJ; Fri, 02 Jun 2006 08:15:21 PDT | ||||
1250 | if (/^[^\s\@]+\@[^)]+\) by \S+\(jqueuemail\) id [^\s;]+/) { return 0; } | ||||
1251 | } | ||||
1252 | |||||
1253 | # --------------------------------------------------------------------------- | ||||
1254 | |||||
1255 | # FALL-THROUGH: OK, at this point let's try some general patterns for things | ||||
1256 | # we may not have already parsed out. | ||||
1257 | 29 | 1.05ms | 38 | 705µs | if (!$ip && /\[(${IP_ADDRESS})\]/) { $ip = $1; } # spent 563µs making 19 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 30µs/call
# spent 142µs making 19 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 7µs/call |
1258 | |||||
1259 | # --------------------------------------------------------------------------- | ||||
1260 | |||||
1261 | # We need to have a minimal amount of information to have a useful parse. | ||||
1262 | # If we have the IP and the "by" name, move forward. If we don't, we'll | ||||
1263 | # drop into the unparseable area. | ||||
1264 | 27 | 88µs | if ($ip && $by) { goto enough; } | ||
1265 | |||||
1266 | # Ok, we can't handle this header, go ahead and return that. | ||||
1267 | 11 | 222µs | return; | ||
1268 | |||||
1269 | # --------------------------------------------------------------------------- | ||||
1270 | |||||
1271 | enough: | ||||
1272 | |||||
1273 | # OK, line parsed (at least partially); now deal with the contents | ||||
1274 | |||||
1275 | # flag handovers we couldn't get an IP address from at all | ||||
1276 | 1041 | 2.61ms | if ($ip eq '') { | ||
1277 | dbg("received-header: could not parse IP address from: $_"); | ||||
1278 | } | ||||
1279 | |||||
1280 | # DISABLED: if we cut out localhost-to-localhost SMTP handovers, | ||||
1281 | # we will give FPs on SPF checks -- since the SMTP "MAIL FROM" addr | ||||
1282 | # will be recorded, but we won't have the relays handover recorded | ||||
1283 | # for that SMTP transaction, so we wind up checking the wrong IP | ||||
1284 | # for the addr. | ||||
1285 | if (0) { | ||||
1286 | if ($ip eq '127.0.0.1') { | ||||
1287 | dbg("received-header: ignoring localhost handover"); | ||||
1288 | return 0; # ignore localhost handovers | ||||
1289 | } | ||||
1290 | } | ||||
1291 | |||||
1292 | 1041 | 12.5ms | 1041 | 4.06ms | if ($rdns =~ /^unknown$/i) { # spent 4.06ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 4µs/call |
1293 | 5 | 13µs | $rdns = ''; # some MTAs seem to do this | ||
1294 | } | ||||
1295 | |||||
1296 | 1041 | 18.3ms | 1041 | 4.05ms | $ip =~ s/^ipv6://i; # remove "IPv6:" prefix # spent 4.05ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 4µs/call |
1297 | 2082 | 19.3ms | 2082 | 4.81ms | $ip =~ s/^\[//; $ip =~ s/\]\z//; # spent 4.81ms making 2082 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 2µs/call |
1298 | |||||
1299 | # IPv6 Scoped Address (RFC 4007, RFC 6874, RFC 3986 "unreserved" charset) | ||||
1300 | 1041 | 9.83ms | 1041 | 2.63ms | $ip =~ s/%[A-Z0-9._~-]*\z//si; # scoped address? remove <zone_id> # spent 2.63ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 3µs/call |
1301 | |||||
1302 | # remove "::ffff:" prefix from IPv4-mapped-in-IPv6 addresses, | ||||
1303 | # so we can treat them simply as IPv4 addresses | ||||
1304 | # (only handles 'alternative form', not 'preferred form' - to be improved) | ||||
1305 | 1041 | 16.4ms | 1041 | 3.68ms | $ip =~ s/^0*:0*:(?:0*:)*ffff:(\d+\.\d+\.\d+\.\d+)$/$1/i; # spent 3.68ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 4µs/call |
1306 | |||||
1307 | 2082 | 40.9ms | 2082 | 16.8ms | $envfrom =~ s/^\s*<*//gs; $envfrom =~ s/>*\s*$//gs; # spent 16.8ms making 2082 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 8µs/call |
1308 | 1041 | 28.2ms | 1041 | 5.74ms | $by =~ s/\;$//; # spent 5.74ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 6µs/call |
1309 | |||||
1310 | # ensure invalid chars are stripped. Replace with '!' to flag their | ||||
1311 | # presence, though. NOTE: this means "[1.2.3.4]" IP addr HELO | ||||
1312 | # strings, which are legit by RFC-2821, look like "!1.2.3.4!". | ||||
1313 | # still useful though. | ||||
1314 | 1041 | 13.1ms | 1041 | 6.84ms | $ip =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs; # spent 6.84ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 7µs/call |
1315 | 1041 | 10.9ms | 1041 | 4.19ms | $rdns =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs; # spent 4.19ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 4µs/call |
1316 | 1041 | 12.4ms | 1041 | 5.94ms | $helo =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs; # spent 5.94ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 6µs/call |
1317 | 1041 | 11.9ms | 1041 | 5.88ms | $by =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs; # spent 5.88ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 6µs/call |
1318 | 1041 | 9.03ms | 1041 | 1.87ms | $ident =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs; # spent 1.87ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 2µs/call |
1319 | 1041 | 9.45ms | 1041 | 2.12ms | $envfrom =~ s/[\s\000\#\[\]\(\)\<\>\|]/!/gs; # spent 2.12ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:subst, avg 2µs/call |
1320 | |||||
1321 | 1041 | 22.0ms | my $relay = { | ||
1322 | ip => $ip, | ||||
1323 | by => $by, | ||||
1324 | helo => $helo, | ||||
1325 | id => $id, | ||||
1326 | ident => $ident, | ||||
1327 | envfrom => $envfrom, | ||||
1328 | lc_by => (lc $by), | ||||
1329 | lc_helo => (lc $helo), | ||||
1330 | auth => $auth | ||||
1331 | }; | ||||
1332 | |||||
1333 | 1041 | 3.22ms | if ($rdns eq '') { | ||
1334 | 427 | 1.72ms | if ($mta_looked_up_dns) { | ||
1335 | # we know the MTA always does lookups, so this means the host | ||||
1336 | # really has no rDNS (rather than that the MTA didn't bother | ||||
1337 | # looking it up for us). | ||||
1338 | 383 | 1.67ms | $relay->{no_reverse_dns} = 1; | ||
1339 | 383 | 889µs | $rdns = ''; | ||
1340 | } else { | ||||
1341 | 44 | 168µs | $relay->{rdns_not_in_headers} = 1; | ||
1342 | } | ||||
1343 | } | ||||
1344 | |||||
1345 | 1041 | 6.82ms | $relay->{rdns} = $rdns; | ||
1346 | 1041 | 5.29ms | $relay->{lc_rdns} = lc $rdns; | ||
1347 | |||||
1348 | 1041 | 9.34ms | 1041 | 64.4ms | $self->make_relay_as_string($relay); # spent 64.4ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::make_relay_as_string, avg 62µs/call |
1349 | |||||
1350 | 1041 | 26.1ms | 2082 | 12.5ms | my $is_private = ($ip =~ /${IP_PRIVATE}/o); # spent 10.7ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:match, avg 10µs/call
# spent 1.86ms making 1041 calls to Mail::SpamAssassin::Message::Metadata::CORE:regcomp, avg 2µs/call |
1351 | 1041 | 5.33ms | $relay->{ip_private} = $is_private; | ||
1352 | |||||
1353 | # add it to an internal array so Eval tests can use it | ||||
1354 | 1041 | 39.4ms | return $relay; | ||
1355 | } | ||||
1356 | |||||
1357 | # spent 64.4ms (51.2+13.2) within Mail::SpamAssassin::Message::Metadata::make_relay_as_string which was called 1041 times, avg 62µs/call:
# 1041 times (51.2ms+13.2ms) by Mail::SpamAssassin::Message::Metadata::parse_received_line at line 1348, avg 62µs/call | ||||
1358 | 1041 | 2.47ms | my ($self, $relay) = @_; | ||
1359 | |||||
1360 | # as-string rep. use spaces so things like Bayes can tokenize them easily. | ||||
1361 | # NOTE: when tokenizing or matching, be sure to note that new | ||||
1362 | # entries may be added to this string later. However, the *order* | ||||
1363 | # of entries must be preserved, so that regexps that assume that | ||||
1364 | # e.g. "ip" comes before "helo" will still work. | ||||
1365 | # | ||||
1366 | 1041 | 18.7ms | my $asstr = "[ ip=$relay->{ip} rdns=$relay->{rdns} helo=$relay->{helo} by=$relay->{by} ident=$relay->{ident} envfrom=$relay->{envfrom} intl=0 id=$relay->{id} auth=$relay->{auth} msa=0 ]"; | ||
1367 | 1041 | 14.2ms | 1041 | 13.2ms | dbg("received-header: parsed as $asstr"); # spent 13.2ms making 1041 calls to Mail::SpamAssassin::Logger::dbg, avg 13µs/call |
1368 | 1041 | 12.6ms | $relay->{as_string} = $asstr; | ||
1369 | } | ||||
1370 | |||||
1371 | # restart the parse if we find a fetchmail marker or similar. | ||||
1372 | # spamcop does this, and it's a great idea ;) | ||||
1373 | sub found_pop_fetcher_sig { | ||||
1374 | my ($self) = @_; | ||||
1375 | if ($self->{allow_fetchmail_markers}) { | ||||
1376 | dbg("received-header: found fetchmail marker, restarting parse"); | ||||
1377 | $self->{relays_trusted} = [ ]; | ||||
1378 | $self->{relays_internal} = [ ]; | ||||
1379 | $self->{relays_external} = [ ]; | ||||
1380 | } else { | ||||
1381 | dbg("received-header: found fetchmail marker outside trusted area, ignored"); | ||||
1382 | } | ||||
1383 | } | ||||
1384 | |||||
1385 | # --------------------------------------------------------------------------- | ||||
1386 | |||||
1387 | 1 | 10µs | 1; |