Regex string for SMTP command

Answered Question
Jan 31st, 2007

Hi Everyone,

I would like to create a signature to look for SMTP "command mail from:<>". Is this the right regex statement to look for this traffic?

[Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm][:][<>]

I have this problem too.
0 votes
Correct Answer by wsulym about 9 years 8 months ago

I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<>]

Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:

mail from:<

or

mail from:>

If you wanted to find:

mail from:<> (no value in between the braces) then the following:

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<][>]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
wsulym Wed, 01/31/2007 - 11:49

I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<>]

Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:

mail from:<

or

mail from:>

If you wanted to find:

mail from:<> (no value in between the braces) then the following:

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<][>]

mhellman Wed, 01/31/2007 - 11:57

Do you mean you're looking for the SMTP "mail from:" command following by empty brackets? That's close but not quite right.

[Mm][Aa][Ii][Ll][ \t]*[Ff][Rr][Oo][Mm][:][ \t]*[<][>]

I believe different mail servers allow different behavior, so you might be able to get rid of the "[ \t]*" sections if you know how your mail server behaves.

Actions

This Discussion