* On 09 Dec 2014, John Long wrote: > The messages seem to all have message-ids in the form > > bunchofch...@m.something.com
You'll need to be much more specific if you want help writing a matching regex. Is "something" a semantic variable or literal? What does "bunchofchars" look like? >From all I can gather it sounds like they're generating totally legit and normalized message-ids. Any message-id that someone out here provides you will match false positives as well. That's why we need specific examples to help. > They also have email ids in the form > > Idiot Spammer <id...@m.something.com> By "email id" do you mean address? Again, that looks completely normal. Matching it will require examples. > > However if your spammer's message-ids are actually showing an RFC822 > > address format, you might try: > > > > ~i '\S+\s+<\S+@\S+>' > > > > I'm assuming your regex library supports \s, \S. PCRE does. Otherwise > > you could try > > > > ~i '[^ ]+ +<[^ ]+@[^ ]+>' > > You lost me on these two regexps. What's going on here? That matches the following: [text][whitespace]<[text]@[text]> This is what an email address should look like, but a message ID should have only the <text@text> part. (It should not have leading text + whitespace.) -- David Champion • d...@bikeshed.us