dovecot - Apr 2019 - sieve match ANY header

On Mon, 8 Apr 2019, @lbutlr wrote:
> Really? Where outside the Received headers do IPs appear in your email
headers?
Well, let's see.  Running a rough grep on 270-message spam folder

 	# grep -E
'^[-A-Za-z0-9]+:.*[^.0-9]{0,1}[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
~/mail/FN | sort -u -k1,1 -t:
 	Authentication-Results: spf=fail (sender IP is 52.233.28.167)
 	List-Help:
<http://121.242.224.101/lists/admin/?p=preferences&uid=fb545e011f371409028a40346e99f6ff>
 	List-Subscribe: <http://121.242.224.101/lists/admin/?p=subscribe>
 	List-Unsubscribe:
<http://121.242.224.101/lists/admin/?p=unsubscribe&uid=fb545e011f371409028a40346e99f6ff&jo=1>
 	Message-ID: <0.0.8.0.1D4BD9273731DDA.4A40C20 at scotiabank-ses.com>
 	Received: from sonic308-11.consmr.mail.ne1.yahoo.com
(sonic308-11.consmr.mail.ne1.yahoo.com [66.163.187.34])
 	Received-SPF: pass (google.com: domain of notification at facebookmail.com
designates 66.220.155.142 as permitted sender) client-ip=66.220.155.142;
 	X-Cyberoam-smtpxy-version: 1.0.6.3
 	X-EN-OrigIP: 190.5.95.101
 	X-MDRemoteIP: 116.206.165.50
 	X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
TenantId=2396b2c2-187d-4b86-8827-064ef261b437;Ip=[52.233.28.167];Helo=[[10.0.0.5]]
 	X-Mailer: DM Pro6 [GB - 6.1.6.52]
 	X-Originating-IP: 18.213.73.4
 	X-PHP-Script: www.bi.cz/index.php for 77.51.76.64
 	X-Rambler-User: Wareafrequentv987210 at rambler.ru/45.74.4.160
 	X-SENDER-IP:113.227.63.115
 	X-SES-Outgoing: 2019.01.09-54.240.4.4
 	X-SentFromServer: 207.8.96.25
 	X-Source-IP: 196.42.37.18
 	X-Source-Sender: ppp-196-42-37-18.coqui.net ([10.8.4.39]) [196.42.37.18]:60668
 	X-SourceIP: 197.211.63.193
 	X-Spam-Summary: 30,2,0,,d41d8cd98f00b204,petroleum at
scientmed.com,:,RULES_HIT:2:10:41:355:379:541:542:560:960:962:967:969:973:982:988:989:1021:1029:1155:1189:1221:1260:1263:1308:1309:1313:1314:1345:1381:1436:1437:1516:1517:1518:1535:1575:1587:1588:1589:1592:1594:1691:1730:1776:1792:2198:2199:2525:2526:2527:2528:2553:2559:2562:2682:2685:2693:2859:2902:2911:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3194:3353:3362:3740:3865:3866:3867:3868:3870:3872:3873:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4049:4120:4321:4361:4379:4425:4552:5007:6117:6631:6658:6678:6684:7628:7688:7903:8603:8957:9025:9163:9388:9868:10026:10049:10128:10197:10848:10919:11656:11658:11914:12043:12050:12438:12457:12663:12895:13138:13139:13174:13229:13231:13439:14096:14659:21080:21212:21324:21325:21433:21450:21451:21499:21524:21627:21819:30018:30021:30022:30026:30054:30056:30062:30070:30090,0,RBL:125.99.156.6:@scientmed.com:.lbl8.mailshell.net-62.6.117.100
64.201.201.201,CacheIP:non
 	X-SpamExperts-Username: 89.42.221.17
 	X-TCPREMOTEIP: 115.97.184.63
 	X-VirtualServer: Transactional, sv016071.hosted.strongview.com, 172.18.101.71
 	x-originating-ip: [46.252.109.60]
 	x-pmwin-version: 3.1.3.0, Antivirus-Engine: 3.74.1, Antivirus-Data: 5.60

That's a *small* sample of where IPs can show up.

A non-trivial IP pattern is probably more likely to be missed by a
selective header match than false matched by a non-selective header
search.  However, it's worth double checking what you're matching
against
(e.g. Subject: so that you can mention this IP without mangling your
subject title).

Joseph Tam <jtam.home at gmail.com>

On 9 Apr 2019, at 17:07, Joseph Tam via dovecot <dovecot at dovecot.org>
wrote:
> On Mon, 8 Apr 2019, @lbutlr wrote:
> 
>> Really? Where outside the Received headers do IPs appear in your email
headers?
> 
> Well, let's see.  Running a rough grep on 270-message spam folder
> 
> 	# grep -E
'^[-A-Za-z0-9]+:.*[^.0-9]{0,1}[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
~/mail/FN | sort -u -k1,1 -t:
> 	Authentication-Results: spf=fail (sender IP is 52.233.28.167)
a better IP regex:
\b(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b

or

\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b

I checked a quarter million messages and all listed a domain in
Authentication-result, not an IP, though to be fair some had matches like:

Authentication-Results: hostedmail.net.au; auth=pass smtp.auth=110.232.141.226
at out.zuver.net.au
> 	List-Help:
<http://121.242.224.101/lists/admin/?p=preferences&uid=fb545e011f371409028a40346e99f6ff>
> 	List-Subscribe: <http://121.242.224.101/lists/admin/?p=subscribe>
> 	List-Unsubscribe:
<http://121.242.224.101/lists/admin/?p=unsubscribe&uid=fb545e011f371409028a40346e99f6ff&jo=1>
I am quite sure I have never seen a mailing list with IPs in those header. But I
did check. None. Some false matches along the lines of

List-Unsubscribe: <mailto:465465-4654-117-162.xxx.xxx.xxx-gmail at
abuse.*munged*.com>
 
> 	Message-ID: <0.0.8.0.1D4BD9273731DDA.4A40C20 at scotiabank-ses.com>
Not an IP
> 	Received: from sonic308-11.consmr.mail.ne1.yahoo.com
(sonic308-11.consmr.mail.ne1.yahoo.com [66.163.187.34])
Yes, I said received.
> 	Received-SPF: pass (google.com: domain of notification at facebookmail.com
designates 66.220.155.142 as permitted sender) client-ip=66.220.155.142;
Yes, this is also a Received header, but sure.

<many X-headers>

And I wouldn't count any x-header.

Regardless, I don't think you can search all headers.


-- 
'You know the worst of it?' said Rincewind.
'Oook?'
'I don't even remember walking under a mirror.' --Mort

You could send the message to an external program, which checks if the
specific IP address is mentioned.

You need to manually activate the pigeonhole extension
vnd.dovecot.execute:?
https://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Extprograms
and
https://wiki2.dovecot.org/Pigeonhole/Sieve

This page links to an RFC describing the action/test execute.
https://raw.githubusercontent.com/dovecot/pigeonhole/master/doc/rfc/spec-bosch-sieve-extprograms.txt

Sieve Test:
----------------------------------------------
require [ "vnd.dovecot.execute" ]

if execute :pipe "check4ip.sh" {
    #actions to process, when check4ip.sh found specific IP
    action;
}  
----------------------------------------------


/in/dovecot/defined/path/by/sieve_execute_bin_dir/check4ip.sh

#!/bin/bash

IP='127.0.0.1'

#take standard input and save a grep for $IP as $M
M=`cat | grep "$IP"`

#exit with success (exit 0) only if $M is not empty
if [-z "$M" ]; then
  exit 1
fi
exit 0



A test named pipe exists too, but it doesn't seem to be implemented in
pigeonhole?
http://mailutils.org/manual/html_chapter/Sieve-Language.html :

Test: pipe [:envelope] [:header] [:body] [:exit code(number)] [:signal
code(number)] command(string)

????Synopsis:

????require "test-pipe";

????if pipe command
??????{
?????????
??????}


????Description: The pipe test executes a shell command specified by its
argument and pipes the entire message (including envelope) to its
standard input. When given, tags :envelope, :header, and :body control
what parts of the message to pipe to the command.

????In the absence of the :exit tag, the test returns true if the
command exits with code 0. If :exit is given, the test returns true if
the command exits with code equal to its argument.

????The :signal tag determines the result of the test in case if the
program exits on signal. By default, the test returns false. If :signal
is given and the number of signal which caused the program to terminate
matches its argument, the test returns true.?


On Tue, 2019-04-09 at 18:09 -0600, @lbutlr via dovecot
wrote:
> On 9 Apr 2019, at 17:07, Joseph Tam via dovecot <dovecot at
dovecot.org> wrote:
> > On Mon, 8 Apr 2019, @lbutlr wrote:
> > 
> > > Really? Where outside the Received headers do IPs appear in your
email headers?
> > 
> > Well, let's see.  Running a rough grep on 270-message spam folder
> > 
> > 	# grep -E
'^[-A-Za-z0-9]+:.*[^.0-9]{0,1}[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
~/mail/FN | sort -u -k1,1 -t:
> > 	Authentication-Results: spf=fail (sender IP is 52.233.28.167)
> 
> a better IP regex:
\b(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b
> 
> or
> 
>
\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b
> 
> I checked a quarter million messages and all listed a domain in
Authentication-result, not an IP, though to be fair some had matches like:
> 
> Authentication-Results: hostedmail.net.au; auth=pass
smtp.auth=110.232.141.226 at out.zuver.net.au
> 
> > 	List-Help:
<http://121.242.224.101/lists/admin/?p=preferences&uid=fb545e011f371409028a40346e99f6ff>
> > 	List-Subscribe:
<http://121.242.224.101/lists/admin/?p=subscribe>
> > 	List-Unsubscribe:
<http://121.242.224.101/lists/admin/?p=unsubscribe&uid=fb545e011f371409028a40346e99f6ff&jo=1>
> 
> I am quite sure I have never seen a mailing list with IPs in those header.
But I did check. None. Some false matches along the lines of
> 
> List-Unsubscribe: <mailto:465465-4654-117-162.xxx.xxx.xxx-gmail at
abuse.*munged*.com>
>  
> > 	Message-ID: <0.0.8.0.1D4BD9273731DDA.4A40C20 at
scotiabank-ses.com>
> 
> Not an IP
> 
> > 	Received: from sonic308-11.consmr.mail.ne1.yahoo.com
(sonic308-11.consmr.mail.ne1.yahoo.com [66.163.187.34])
> 
> Yes, I said received.
> 
> > 	Received-SPF: pass (google.com: domain of notification at
facebookmail.com designates 66.220.155.142 as permitted sender)
client-ip=66.220.155.142;
> 
> Yes, this is also a Received header, but sure.
> 
> <many X-headers>
> 
> And I wouldn't count any x-header.
> 
> Regardless, I don't think you can search all headers.
> 
>