Okay, fiendish as it is, here is what I am attempting to do.
It has been suspected for some time that some domains log incoming HTTP_FROM headers for spamming purposes. So I am writing a set of filters to make these spammers spam themselves by sending HTTP_FROM headers whose values are
[email protected][email protected]and so on. The two filters I developed for this purpose are
In = FALSE
Out = TRUE
Key = "From: (Out)"
Replace = "$LST(From) @h"
In = FALSE
Out = TRUE
Key = "From: 2 (Out)"
Match = "$LST(From) @*.1.2"
Replace = "$LST(From) @1.2"
and the "From" list used is
$CON(1,5)$SET(0=admin)
$CON(2,5)$SET(0=administrator)
$CON(3,5)$SET(0=ipadmin)
$CON(4,5)$SET(0=sysops)
$CON(5,5)$SET(0=webmaster)
These two filters work for all tested domains of the forms
domain.suffix or child1.domain.suffix
but not for domains of the form
child2.child1.domain.suffix
except in the special case that "suffix" has a dot in it such as "co.uk" They would also fail for domains of the form childN. ... child1.domain.suffix where N is greater than 2 and for domains of the form domain.suffix when suffix contains a dot.
Any ideas?