01-31-2007 11:28 AM - edited 03-10-2019 03:26 AM
Hi Everyone,
I would like to create a signature to look for SMTP "command mail from:<>". Is this the right regex statement to look for this traffic?
[Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm][:][<>]
Solved! Go to Solution.
01-31-2007 11:49 AM
I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).
[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<>]
Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:
mail from:<
or
mail from:>
If you wanted to find:
mail from:<> (no value in between the braces) then the following:
[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<][>]
01-31-2007 11:49 AM
I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).
[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<>]
Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:
mail from:<
or
mail from:>
If you wanted to find:
mail from:<> (no value in between the braces) then the following:
[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<][>]
01-31-2007 11:53 AM
Thanks
01-31-2007 12:00 PM
Already got serveral hits
01-31-2007 11:57 AM
Do you mean you're looking for the SMTP "mail from:" command following by empty brackets? That's close but not quite right.
[Mm][Aa][Ii][Ll][ \t]*[Ff][Rr][Oo][Mm][:][ \t]*[<][>]
I believe different mail servers allow different behavior, so you might be able to get rid of the "[ \t]*" sections if you know how your mail server behaves.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide