On Thu, May 02, 2002 at 04:52:32PM +0400, Michael Tokarev wrote:

> No, postfix does not *store* client's IP address in queue file.

I noticed. "man pipe" is my friend.

> Here is a code fragment from my honeypot handler:
>
> IP=`sed -n \
> -e 's/^Received: from.* \[\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\])$/\1/p' \
> -e '/^Received: /q' \
> $MAIL`
>
> This matches the following (from your message as seen here):
>
> [Return-Path or some other header(s) may be here]
> Received: from mail.corpit.ru (mail.corpit.ru [217.23.134.198])
> by mail.tls.msk.ru (Postfix) with ESMTP id 86E878C2D
> for <mjtpaltus.tls.msk.ru>; Thu, 2 May 2002 12:05:26 +0400 (MSD)
> (envelope-from avcheck-adminlist.corpit.ru)

This is totally sufficient.

> With the above, one may use "$FROM" in log line. Like:
>
> logger .. "infected by $MSG;$FROM from=$SENDER to=$*"

Yep.

-- 
Ralf Hildebrandt (Im Auftrag des Referat V A)   Ralf.Hildebrandtcharite.de
Charite Campus Virchow-Klinikum                 Tel.  +49 (0)30-450 570-155
Referat V A - Kommunikationsnetze -             Fax.  +49 (0)30-450 570-916
May's Law: The quality of correlation is inversely proportional to the
density of control. (The fewer data points, the smoother the curves.) 
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]