Solved: Regex string for SMTP command

rrutledge · ‎01-31-2007

Hi Everyone,

I would like to create a signature to look for SMTP "command mail from:<>". Is this the right regex statement to look for this traffic?

[Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm][:][<>]

wsulym · ‎01-31-2007

I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<>]

Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:

mail from:<

or

mail from:>

If you wanted to find:

mail from:<> (no value in between the braces) then the following:

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<][>]

View solution in original post

wsulym · ‎01-31-2007

I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<>]

Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:

mail from:<

or

mail from:>

If you wanted to find:

mail from:<> (no value in between the braces) then the following:

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<][>]

rrutledge · ‎01-31-2007

Thanks

rrutledge · ‎01-31-2007

Already got serveral hits

mhellman · ‎01-31-2007

Do you mean you're looking for the SMTP "mail from:" command following by empty brackets? That's close but not quite right.

[Mm][Aa][Ii][Ll][ \t]*[Ff][Rr][Oo][Mm][:][ \t]*[<][>]

I believe different mail servers allow different behavior, so you might be able to get rid of the "[ \t]*" sections if you know how your mail server behaves.