On Sunday 18 October 2020 01:50:33 am deloptes via tde-users wrote:
On Saturday 17 October 2020 08:25:49 pm E. Liddell via tde-users wrote:
> On Sat, 17 Oct 2020 19:01:08 -0500
> Michael via tde-users <ml-migration-agent@xxxxxxxxxxxxxxxxxx> wrote:
> > On Saturday 17 October 2020 06:45:43 pm Michael via tde-users wrote:
> > > I need to match this one line in a Subject:
> > >
> > > ***SPAM*** lfd on srv07.srv07-inet-design.com: 93.174.93.68
> > > (NL/Netherlands/-) blocked for port scanning
> > >
> > > (the spam part is intermittent), based on these two pieces:
> > >
> > lfd on srvNN.srvNN-inet-design.com:
> > NN = any two numerical digits only
> > > -and-
> > > ‘) blocked for port scanning’
>
> (Note: I didn't bother testing anything. Typos are unlikely, but
> possible.)
>
> Assuming Kmail uses PCRE and not Posix regex, you can match the first
> chunk with:
>
> lfd on srv\d\d\.srv\d\d-inet-design\.com
>
> and the second with:
>
> \) blocked for port scanning$
>
> (the $ confines that portion of the match to the end of the string).
> If I were trying to match the entire line, I'd probably use something
> like:
>
> ^[^a-z]*lfd on srv\d\d\.srv\d\d-inet-design\.com:
> \d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d? \([^\)]+\) blocked for port
> scanning$
> Are there other messages about "blocked for port scanning" that you need
> to be sure you receive? If not, I'd just do a subject-contains filter
> using that string and forget about the regex.
Sadly, yes, when a client's user gets "blocked for port scanning" the phrase
ends up in the Subject (to/from the client). Generally after I've found the
block message I forward, and modify the Subject, but my existing rule is a
subject-contains filter so then I have to go searching for client replies
from the thousands of messages in the 'blocked' folder.
> You can use kregexpeditor from kregexpeditor-trinity - it took me 3min to
> build the rules for each line with middle level regexp.
>
> ^.*srv[\d]{2,2}\.srv[\d]{2,2}-inet-design\.com.*$
>
> ^.*\)\sblocked\sfor\sport\sscanning.*$
That is way cool! I pasted both of the expressions into kregexpeditor then
fiddled with them to come up with:
^.*lfd on srv[\d]{2,2}\.srv[\d]{2,2}-inet-design\.com.*\) blocked for port
scanning$
I dropped the escaped spaces (\s) and used the repeat exactly two digits
syntax, mostly because it made kregexpeditor’s pictograph look cleaner (in
the vain theory that’d give better performance).
I wouldn’t have thought to use either a line start or a line end, but I’m
guessing they both help to give better performance to the regex engine?
# # #
E., deloptes,
Thank you both so much, combined you’ve saved me hours of digging to get this
to work. If either of you ever come through the Nashville area, I’ll buy you
a beer/pastry/whatever your vice is! Well, that applies to basically
everyone on this list, this has to be the best list I’ve ever been on…
Best Regards All,
Michael
____________________________________________________
tde-users mailing list -- users@xxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxx
Web mail archive available at https://mail.trinitydesktop.org/mailman3/hyperkitty/list/users@xxxxxxxxxxxxxxxxxx
