Re: Quick header check question and anchors
Thanks a lot, John, Bill, RW... i now see it water clear... On Thursday, May 16, 2019, 10:59:19 PM GMT+2, RW wrote: On Thu, 16 May 2019 13:31:27 + (UTC) Pedro David Marco wrote: > Hi! > I have a Recived like this: > > Received: from pafkiet.edu.pk (email.pafkiet.edu.pk [203.170.75.90]) > by > > > I want a rule to match the beginning of a Received: > A rule like this works ok: > > header MY_RULE Received =~ /.*from pafkiet.edu.pk/ > > and in debug mode it shows: > MY_RULE ==> got hit: "from pafkiet.edu.pk" > > BUT if i add the ^ anchor to the rule then it does not work... > header MY_RULE Received =~ /^from pafkiet.edu.pk/ > > Why??? Because you missed out the /m modifier. Without it your rule can only match the top received header. So header MY_RULE Received =~ /^from pafkiet.edu.pk/m
Re: Quick header check question and anchors
On Thu, 16 May 2019 13:31:27 + (UTC) Pedro David Marco wrote: > Hi! > I have a Recived like this: > > Received: from pafkiet.edu.pk (email.pafkiet.edu.pk [203.170.75.90]) > by > > > I want a rule to match the beginning of a Received: > A rule like this works ok: > > header MY_RULE Received =~ /.*from pafkiet.edu.pk/ > > and in debug mode it shows: > MY_RULE ==> got hit: "from pafkiet.edu.pk" > > BUT if i add the ^ anchor to the rule then it does not work... > header MY_RULE Received =~ /^from pafkiet.edu.pk/ > > Why??? Because you missed out the /m modifier. Without it your rule can only match the top received header. So header MY_RULE Received =~ /^from pafkiet.edu.pk/m
Re: Quick header check question and anchors
On 16 May 2019, at 9:31, Pedro David Marco wrote: Hi! I have a Recived like this: Received: from pafkiet.edu.pk (email.pafkiet.edu.pk [203.170.75.90]) by I want a rule to match the beginning of a Received: A rule like this works ok: header MY_RULE Received =~ /.*from pafkiet.edu.pk/ and in debug mode it shows: MY_RULE ==> got hit: "from pafkiet.edu.pk" BUT if i add the ^ anchor to the rule then it does not work... header MY_RULE Received =~ /^from pafkiet.edu.pk/ Why??? It seems there is nothing between start of line and "from"... Yes. However, the way the matching is done for headers that may have multiple instances in a message makes it necessary to use the 'm' modifier on the regular expression if you want anchors to work on a single instance of the target header. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Re: Quick header check question and anchors
On Thu, 16 May 2019, Pedro David Marco wrote: Hi! I have a Recived like this: Received: from pafkiet.edu.pk (email.pafkiet.edu.pk [203.170.75.90]) by I want a rule to match the beginning of a Received: A rule like this works ok: header MY_RULE Received =~ /.*from pafkiet.edu.pk/ and in debug mode it shows: MY_RULE ==> got hit: "from pafkiet.edu.pk" BUT if i add the ^ anchor to the rule then it does not work... header MY_RULE Received =~ /^from pafkiet.edu.pk/ Why??? Add this for analysis purposes: header __ALL_RCVD Received =~ /.*/ tflags __ALL_RCVD multiple Then you can look in the hits log and see exactly what the full header strings are. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the good of having the government prohibited from doing harm far outweighs the harm of having it obstructed from doing good. -- Mike@mike-istan --- 777 days since the first commercial re-flight of an orbital booster (SpaceX)
