It will check the first @mydomain and continue checking, and when it gets to the second @ it will simply make firstname.lastname@example.org,jim be part of the ".*" in the regular expression and try matching @someplace.com to the rest of the regular expression.
Additional the following will NOT fire (false negative) the alarm:
This is because the m as the first character after the 2 fails the regular epxression match [^m].
To do what you wanted the sensor would have to support the negation of an entire sequence of characters rather than the negation of several single characters like:
But that is not supported.
So you could try writing a simple pattern like:
Instead of writiing the full pattern using all of the characters.
It will fire on any email where one of the addresses does not have "@my" in it.
You will still get false positives and false negatives.
You can even play around with adding more characters to the regular expression to see if the rate of false positives and false negatives increases or decreases. It really depends on how closely the other addresses resemble your addresses as to how often the alarm will misfire.
In the end it depends on what exactly you will be doing with the end alarm. If it is just to show how much your server is being used for relays that it shouldn't be used for. Then a few false positives and some false negatives may be OK for what you are wanting.
Something else to consider:
If you have more than one domain:
Then you would need to do a character by character combination within each negation in the regular expression:
This could result in even more false positives and false negatives and that may or may not be OK for what you are doing.
Doesn't the RCPT TO: command have to be issued for each recipient? Anyway, our mail servers seem to toss any attempts to specify multiple comma separated values. This should eliminate a lot of the false positives you mention.
>>This because the . in the ninth place after @ does
>>NOT match [^.] which prevents the alarm from
Hmm...I think you're right. In fact, if _any_ of the above characters match in any position (i.e. m2345678.com) then the event won't trigger. Pretty much defeats the purpose.
>>To do what you wanted the sensor would have to
>>support the negation of an entire sequence of
>>characters rather than the negation of several
>>single characters like
Yes, that's exactly what I'm looking for. Something like Perls lookahead assertions. Cisco, if you listening...add this functionality please. Out of curiousity, I'm going to see what snorts capabilities are in the arena tonight.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...