Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Regex string for SMTP command

Hi Everyone,

I would like to create a signature to look for SMTP "command mail from:<>". Is this the right regex statement to look for this traffic?

[Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm][:][<>]

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Regex string for SMTP command

I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<>]

Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:

mail from:<

or

mail from:>

If you wanted to find:

mail from:<> (no value in between the braces) then the following:

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<][>]

4 REPLIES
Cisco Employee

Re: Regex string for SMTP command

I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<>]

Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:

mail from:<

or

mail from:>

If you wanted to find:

mail from:<> (no value in between the braces) then the following:

[Mm][Aa][Ii][Ll]\x20[Ff][Rr][Oo][Mm][:][<][>]

New Member

Re: Regex string for SMTP command

Thanks

New Member

Re: Regex string for SMTP command

Already got serveral hits

Gold

Re: Regex string for SMTP command

Do you mean you're looking for the SMTP "mail from:" command following by empty brackets? That's close but not quite right.

[Mm][Aa][Ii][Ll][ \t]*[Ff][Rr][Oo][Mm][:][ \t]*[<][>]

I believe different mail servers allow different behavior, so you might be able to get rid of the "[ \t]*" sections if you know how your mail server behaves.

227
Views
0
Helpful
4
Replies
CreatePlease login to create content