procmail syntax: match IP address ranges.

Hi. In my setup, on receipt of UCE/UBE it's automatically fired off
to Spamcop. When the reply comes back, SC says what the offending IP
is (divined from analysis of Received: headers). I plug that IP into
a "whois -h ..." query, which comes up with a range of IPs, one member
of which is the offending IP. I'd like to drop that entire range.
kornet, bora.net, hanaro, and chinanet (among others) have all proved
themselves utterly indifferent to the existence of abuse from their
networks. I'd like to /dev/null everything from them.

Is this correct syntax:

# -----------------------------------------------
:0
* ^Received:.*(\[60\.(24-30)\.(0-255)\.(0-255)\
|\[222\.(164-165)\.(0-127)\.(0-255)\
|\[222\.(170-172)\.(0-127)\.(0-255)\
)
/dev/null
# -----------------------------------------------

Ie., the first one would match the range 60.24.0.0 - 60.30.255.255

Thanks.


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.ietf.org/rfc/rfc1855.txt
Spammers! http://www.spots.ab.ca/~keeling/autospam.html

Re: procmail syntax: match IP address ranges.

s. keeling wrote:
> Hi. In my setup, on receipt of UCE/UBE it's automatically fired off
> to Spamcop. When the reply comes back, SC says what the offending IP
> is (divined from analysis of Received: headers). I plug that IP into
> a "whois -h ..." query, which comes up with a range of IPs, one member
> of which is the offending IP. I'd like to drop that entire range.
> kornet, bora.net, hanaro, and chinanet (among others) have all proved
> themselves utterly indifferent to the existence of abuse from their
> networks. I'd like to /dev/null everything from them.
>
> Is this correct syntax:
>
> # -----------------------------------------------
> :0
> * ^Received:.*(\[60\.(24-30)\.(0-255)\.(0-255)\
> |\[222\.(164-165)\.(0-127)\.(0-255)\
> |\[222\.(170-172)\.(0-127)\.(0-255)\
> )
> /dev/null
> # -----------------------------------------------
>
> Ie., the first one would match the range 60.24.0.0 - 60.30.255.255

You might want to look at
http://freshmeat.net/projects/popchecksh/
http://home.eol.ca/~parkw/index.html#spam

--
William Park , Toronto, Canada
ThinFlash: Linux thin-client on USB key (flash) drive
http://home.eol.ca/~parkw/thinflash.html

Re: procmail syntax: match IP address ranges.

On comp.mail.misc, in
, "s. keeling"
wrote:

> Hi. In my setup, on receipt of UCE/UBE it's automatically
> fired off to Spamcop. When the reply comes back, SC says
> what the offending IP is (divined from analysis of Received:
> headers). I plug that IP into a "whois -h ..." query, which
> comes up with a range of IPs, one member of which is the
> offending IP. I'd like to drop that entire range. kornet,
> bora.net, hanaro, and chinanet (among others) have all proved
> themselves utterly indifferent to the existence of abuse from
> their networks. I'd like to /dev/null everything from them.
>
> Is this correct syntax:

>
> # -----------------------------------------------
>:0
> * ^Received:.*(\[60\.(24-30)\.(0-255)\.(0-255)\
> |\[222\.(164-165)\.(0-127)\.(0-255)\
> |\[222\.(170-172)\.(0-127)\.(0-255)\
> )
> /dev/null
> # -----------------------------------------------
>

> Ie., the first one would match the range 60.24.0.0 -
> 60.30.255.255
>

Doesn't look right to me. Ranges in regexes are specified
with 0-9 being [0-9] or [0123456789], etc., to the best of my
knowledge, one possible digit at a time.

I'd google for this. Just trying it gives me a headache :-)

Gotta be in one of the many procmail FAQs.

Try your recipe. Find a mail with that IP range and put it in a
file.

cat file | procmail procmailrc2

With procmailrc2 being a miminal rc file with just that
recipe in it.

Professor Salmi has some things to say about this:

http://www.uwasa.fi/~ts/info/proctips.html

search "range".

AC

--
The reliance on technology to meet all human challenges
is obviously a failed strategy. It is endangering life
on Earth itself, and is driven by corporate greed, not
pure science.

Re: procmail syntax: match IP address ranges.

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.

--=_mimegpg-commodore.email-scan.com-4612-1115846280-0003
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Beavis writes:

> Doesn't look right to me. Ranges in regexes are specified
> with 0-9 being [0-9] or [0123456789], etc., to the best of my
> knowledge, one possible digit at a time.
>
> I'd google for this. Just trying it gives me a headache :-)

He should also google for "Usenet Beavis", and see what comes up.

Google -- what a useful tool!




--=_mimegpg-commodore.email-scan.com-4612-1115846280-0003
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBCgnaIx9p3GYHlUOIRAm3SAJ4lXoRsYGbb5EO/DOWWgv3axifHBQCf XXFG
ZypGkcJUa6G1qK98DiMKVGo=
=jnPl
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-4612-1115846280-0003--

Re: procmail syntax: match IP address ranges.

> Hi. In my setup, on receipt of UCE/UBE it's automatically fired off
> to Spamcop. When the reply comes back, SC says what the offending IP
> is (divined from analysis of Received: headers). I plug that IP into
> a "whois -h ..." query, which comes up with a range of IPs, one member
> of which is the offending IP. I'd like to drop that entire range.
> kornet, bora.net, hanaro, and chinanet (among others) have all proved
> themselves utterly indifferent to the existence of abuse from their
> networks. I'd like to /dev/null everything from them.

My grepcidr program should help you out there, it will allow you to more
cleanly load your blacklist (list of ranges or CIDR netblocks) from a
text file. You can even use this to import ready made blacklists off the
net, say rsync daily some of which are megabytes long :)

To do it that would you would make an external script, checkblack.sh.
When an email is fed to this script the GNU grep (-o option) will extract
IP addresses from Received headers and feed the IP address(es) to
grepcidr. The grepcidr process will compare the incoming IP against a
blacklist loaded from a file. That file can contain single IPs, netblocks
in CIDR format, or ranges.


#!/bin/sh
grep ^Received | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" \
| grepcidr -f $HOME/blacklist > /dev/null
exit $?


Then your .procmailrc would just check this exit code, which cleans up
your procmail rule. The flag is to wait for exitcode; kill it or not?


:0 w
* ? $HOME/checkblack.sh
/dev/null


And as you need to update your blacklist you can then update a single
external file. If you're interested, adding CBL to your blacklist will
really kill your spam - rsync://rsync.cbl.abuseat.org/cbl/list.txt

--
Jem Berkes
Software design for Windows and Linux/Unix-like systems
http://www.sysdesign.ca/

Re: procmail syntax: match IP address ranges.

For the software, see
http://www.pc-tools.net/unix/grepcidr/

I've posted a copy of these procmail blacklist instructions under the
Resources section at the bottom of the page.

--
Jem Berkes
Software design for Windows and Linux/Unix-like systems
http://www.sysdesign.ca/

Re: procmail syntax: match IP address ranges.

s. keeling wrote:
> Hi. In my setup, on receipt of UCE/UBE it's automatically fired off
> to Spamcop. When the reply comes back, SC says what the offending IP
> is (divined from analysis of Received: headers). I plug that IP into
> a "whois -h ..." query, which comes up with a range of IPs, one member
> of which is the offending IP. I'd like to drop that entire range.
> kornet, bora.net, hanaro, and chinanet (among others) have all proved
> themselves utterly indifferent to the existence of abuse from their
> networks. I'd like to /dev/null everything from them.
>
> Is this correct syntax:
>
> # -----------------------------------------------
> :0
> * ^Received:.*(\[60\.(24-30)\.(0-255)\.(0-255)\
> |\[222\.(164-165)\.(0-127)\.(0-255)\
> |\[222\.(170-172)\.(0-127)\.(0-255)\
> )
> /dev/null
> # -----------------------------------------------
>
> Ie., the first one would match the range 60.24.0.0 - 60.30.255.255

Have you considered "per AS" ignoring? [AS=Autonomous (Routing) System]

e.g. http://linuxmafia.com/~karsten/Download/procmail-asn-header

--
Andrzej [en:Andrew] Adam Filip anfi@priv.onet.pl anfi@xl.wp.pl

Re: procmail syntax: match IP address ranges.

In article ,
s. keeling wrote:
>Hi. In my setup, on receipt of UCE/UBE it's automatically fired off
>to Spamcop. When the reply comes back, SC says what the offending IP
>is (divined from analysis of Received: headers). I plug that IP into
>a "whois -h ..." query, which comes up with a range of IPs, one member
>of which is the offending IP. I'd like to drop that entire range.
>kornet, bora.net, hanaro, and chinanet (among others) have all proved
>themselves utterly indifferent to the existence of abuse from their
>networks. I'd like to /dev/null everything from them.
>
>Is this correct syntax:
>
># -----------------------------------------------
>:0
>* ^Received:.*(\[60\.(24-30)\.(0-255)\.(0-255)\
> |\[222\.(164-165)\.(0-127)\.(0-255)\
> |\[222\.(170-172)\.(0-127)\.(0-255)\
>)
>/dev/null
># -----------------------------------------------
>
>Ie., the first one would match the range 60.24.0.0 - 60.30.255.255

short answer to your question, as asked: "NO." your syntax is all wet.

see a good manual on "regular expressions".

Some of your 'apparent' errors:
0) (this is background, not an error)
you have match against the individual characters in the text
("dotted quad") representation of the address - you cannot process
the entire 'octet' as a single charater.
1) parentheses are used for 'grouping' of patterns, meaningful only
either for 'alternations', or repeat counts.
2) a 'range' of values can be specified only as part of a single-character
match. i.e., within '[' and ']'
3) 'range' boundaries must be *single*character* entities.

What you have written will look for an _exact_match_ on the literal string
[60.24-30.0-255.0-255

which I _really_ doubt is what you intend.

Note: since that is a group of /16 nets, there's really no need to check
the last two octets. Thus you can use a much simplier:
\[60.(2[4-9]|30)\.

Re: procmail syntax: match IP address ranges.

On comp.mail.misc, in
, "s. keeling"
wrote:

> Hi. In my setup, on receipt of UCE/UBE it's automatically
> fired off to Spamcop. When the reply comes back, SC says
> what the offending IP is (divined from analysis of Received:
> headers). I plug that IP into a "whois -h ..." query, which
> comes up with a range of IPs, one member of which is the
> offending IP. I'd like to drop that entire range. kornet,
> bora.net, hanaro, and chinanet (among others) have all proved
> themselves utterly indifferent to the existence of abuse from
> their networks. I'd like to /dev/null everything from them.
>
> Is this correct syntax:
>
> # ----------------------------------------------- :0 *
>^Received:.*(\[60\.(24-30)\.(0-255)\.(0-255)\
>
> |\[222\.(164-165 70-172 )\.(0-127)\.(0-255)\
>
> ) /dev/null # -----------------------------------------------
>
> Ie., the first one would match the range 60.24.0.0 -
> 60.30.255.255
>
> Thanks.
>
>

Got some new insight into this that you might find useful.

IP addresses are really just long binary numbers
converted into a psuedo-decimal format. If you convert
them into REAL decimal numbers you can use simple ">"
"<" checks in a filter script to see if they fall
within a range of these converted numbers.

So you'd use a procmail recipe to peel off the IP, pipe
it to a filter script that would do the conversions
and take its ranges from a list in a seperate file,
making it easy to add and subtract ranges from your
blocklist.

The script would be written to exit with 1 if the
number fell outside a forbidden range of numbers
(IP addresses converted to decimal) which would
allow you to use the "e" flag to pass the mail
onto the next recipe if it was good.

Or vice-versa on all those elements.

If you are interested, let me know here and I
can supply more details.

AC

--
Please visit my home page:
http://angel.1jh.com./nanae/kooks/alanconnor.html

Re: procmail syntax: match IP address ranges.

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.

--=_mimegpg-commodore.email-scan.com-17291-1117290258-0003
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg

Beavis writes:

> Got some new insight into this that you might find useful.

Oh, this will definitely be a good one. Your insights always prove to be --=

well, I'm not sure exactly what they are. I'll get back to you.

> IP addresses are really just long binary numbers
> converted into a psuedo-decimal format.

Beavis, how long is "long", in your world?

> If you convert
> them into REAL decimal numbers you can use simple ">"
> "<" checks in a filter script to see if they fall
> within a range of these converted numbers.

And, Beavis, would you like to enlighten us how you think they should be
"converted into REAL decimal numbers".

I'm anxiously awaiting your explanation.

> So you'd use a procmail recipe to peel off the IP, pipe
> it to a filter script that would do the conversions
> and take its ranges from a list in a seperate file,
> making it easy to add and subtract ranges from your
> blocklist.

Also, don't forget the eye of newt, the feather of a chicken, and the spell
at the bottom of page 7 of â€=9CMagical Incantations For Dummies.â€=9D=


> The script would be written to exit with 1 if the
> number fell outside a forbidden range of numbers

Oooh! Forbidden numbers. How kinky.

> (IP addresses converted to decimal) which would
> allow you to use the "e" flag to pass the mail
> onto the next recipe if it was good.

All right, we need another recipe. You take care of slaughtering the
animals, and I'll make a run at the general store and get the rest of the
ingredients.

> If you are interested, let me know here and I
> can supply more details.

Please do.



--=_mimegpg-commodore.email-scan.com-17291-1117290258-0003
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBCmH8Sx9p3GYHlUOIRAtkYAJ9ztupB508Tn1KptN10BMMFeSISMQCe OqpT
5GO1NCy7uUt5VWshisiOrP4=
=e5xD
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-17291-1117290258-0003--

Re: procmail syntax: match IP address ranges.

s. keeling wrote:
> Hi. In my setup, on receipt of UCE/UBE it's automatically fired off
> to Spamcop. When the reply comes back, SC says what the offending IP
> is (divined from analysis of Received: headers). I plug that IP into
> a "whois -h ..." query, which comes up with a range of IPs, one member
> of which is the offending IP. I'd like to drop that entire range.
> kornet, bora.net, hanaro, and chinanet (among others) have all proved
> themselves utterly indifferent to the existence of abuse from their
> networks. I'd like to /dev/null everything from them.
>
> Is this correct syntax:
>
> # -----------------------------------------------
> :0
> * ^Received:.*(\[60\.(24-30)\.(0-255)\.(0-255)\
> |\[222\.(164-165)\.(0-127)\.(0-255)\
> |\[222\.(170-172)\.(0-127)\.(0-255)\
> )
> /dev/null
> # -----------------------------------------------
>
> Ie., the first one would match the range 60.24.0.0 - 60.30.255.255
>
> Thanks.
>
>


The correct regular expression for an exact match for the range
60.24.0.0 - 60.30.255.255 is:

:0
*^Received:.*(60\.(2[4-9]|30)\.([0-9]|[1-9][0-9]|1[0-9][0-9] |2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][ 0-9]|25[0-5]))

This can be shortened a bit if you don't care about an exact match for
the last two octets.

:0
*^Received:.*(60\.(2[4-9]|30)\.[0-9][0-9]?[0-9]?\.[0-9][0-9] ?[0-9]?)

Or:

:0
*^Recieved:.*(60\.(2[4-9]|30)\.[0-9]+.[0-9]+)

The range you specified is a subset of
60.24.0.0/13 - 60.24.0.0 - 60.31.255.255

if you want to match the entire /13 cidr range, the 2nd octet regular
expression needs to be (2[4-9]|3[0-1])

Garen