how can I detect multi-hops using regular expressoion?

General discussion about PopTray. You love it? You hate it? Talk about it here.

Moderators: KY Dave, jojobear99, Rdsok

Post Reply
sandy&cloud

how can I detect multi-hops using regular expressoion?

Post by sandy&cloud » Wed Sep 01, 2004 8:26 am

how can I detect multi-hops using regular expression?

I tried to find 2 or more "Received:" strings from mail-header, then:

[^\A]^Received:

and worked.

but some customized (?) SMTP server generates mail-header without "Received:" on the very first line of it, and not works. :|

any help will be appreciated. thank you!

User avatar
Rdsok
PopTray Family
Posts: 1422
Joined: Fri Mar 19, 2004 11:36 pm
Location: Norman, Oklahoma USA
Contact:

Post by Rdsok » Wed Sep 01, 2004 4:29 pm

I'm don't have an answer for you but I was curious as to why look for multiple 'Received:' at all. The only time I have seen less than 2 on an email is when the email is sent from the same server that I get my email from which is rare.

sandy&cloud

Post by sandy&cloud » Wed Sep 01, 2004 11:46 pm

thank you for your reply.

it is for detecting single-hop mainly, reversing it by "NOT" function.

2+ "Recieved:" in header:
dial-up user's mail comes with multi-hops. because they usually send mail from ISP owned SMTP server. and this is probably legitimate.

1 "Recieved:" in header:
spam and virus are uses direct SMTP connection. it comes with no relay. single-hop.

each case is different. that's why I wanted to count hops. ;)

User avatar
Rdsok
PopTray Family
Posts: 1422
Joined: Fri Mar 19, 2004 11:36 pm
Location: Norman, Oklahoma USA
Contact:

Post by Rdsok » Wed Sep 01, 2004 11:53 pm

Ok, I was just curious. If I get time later I will try a few ideas I have but right now I don't have much mail to test with.

FYI, if someone you know is also using the same email server as you are, you will also get just one 'Received:' (I tested it on my account's of which I have up to 7 email addresses).

I'll report back if I can come up with a good alternate later for you.

sandy&cloud

Post by sandy&cloud » Thu Sep 02, 2004 1:33 am

thank you very much!

yes I receive mail from same ISP/domain that contains just one "Received:" in header.
this kind of mail is easy to protect. because I have ISP inside information spammer never know.

problem comes from outside.

for example:
match ".aol.com [" (all mail from .aol.com)
AND
match *just one* "Received:" (direct SMTP connection from .aol.com)

using it by combination, I can block spam/virus suspicious mail from .aol.com. even if I don't know the name of .aol.com SMTP server. :)

User avatar
quosego
Guru
Posts: 219
Joined: Mon Oct 15, 2001 11:42 pm
Location: The Netherlands

Post by quosego » Thu Sep 02, 2004 11:47 pm

Sorry guys but i am not sure i understand this thread, but while reading i get the feeling this could be useful to me.

On my main account i get an increasing amount of spam. Although K9 works pretty accurate i need a second indicator before deleting automatically.

Since my adres is probably on several list i receive mails adressed to multiple recipients that are identical during a couple of days. By making a rule that detect both the K9 mark AND one other recipient adres (not mine offcourse) i manage to delete a lot of spam.
Unfortunately the adresses of the other recipient change from time to time so i have to add more rules.

So assuming i have adres me@myprovider.com i would need a rule that would look like:

IF
SUBJECT contains [spam] {= the K9 mark}
AND
TO contains otheradres@myprovider.com
THEN delete message

Reading this thread i think this could ben done. Or not?

(I realize this is not 100% safe)

User avatar
Rdsok
PopTray Family
Posts: 1422
Joined: Fri Mar 19, 2004 11:36 pm
Location: Norman, Oklahoma USA
Contact:

Post by Rdsok » Fri Sep 03, 2004 12:13 am

quosego,

What sandy&cloud is talking about is the header of an email normally will have at least 2 if not more lines with 'Received:' in it. That is what normal smtp email servers put on the mail for tracking reasons. She is wanting to catch emails that only contain 1 of those, which is unusuall except in a few cases. I had planned on trying to help define a rule that would fit the criteria, but it seems that I ended up doing a reload of my computer instead and haven't been able to test any of my ideas yet :cry: . I'll try to get back to that after I get everything restored to my computer.

For your situation, if you are running the beta 3.1 v6, you can define 2 rule criteria (in one rule) and select under 'Needed' the 'ALL Rows' then just create the two criteria you mentioned below that. If you need more help, create a new thread and I'll try to answer any further questions there since this is a different issue.

Hope that helps.

sandy&cloud

Post by sandy&cloud » Sat Sep 04, 2004 2:32 am

I've found very useful program TRegExpr checker. (TRegExpr seems internally used by poptray.)
http://regexpstudio.com/Downloads/TestRExp.zip

then I tried this regular expression:

(?ms)(^Received:.+){2}?(?ms-)

yes! finally worked! :D

I also referred this page about that (m, s) modifiers as perl extensions:
http://regexpstudio.com/TRegExpr/Help/R ... yntax.html

# sorry for my poor english and some misspelled words on my post.
# thank you Rdsok for your kindly help.

User avatar
Rdsok
PopTray Family
Posts: 1422
Joined: Fri Mar 19, 2004 11:36 pm
Location: Norman, Oklahoma USA
Contact:

Post by Rdsok » Sat Sep 04, 2004 2:46 am

sandy&cloud,

Your more than welcome, but I was hardly any real help since my home computer went south and I had to reload, I couldn't try any of the ideas I had for you.

By the way, TRegExpr is the library that Renier is using in PopTray (that is actually mentioned in a post somewhere). Another RegExpr checker program that I like is Expresso, just click on the name for a link to the website.

Your English is just fine also. :D

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests