On Sunday 18 October 2020 01:50:33 am deloptes via tde-users wrote: On Saturday 17 October 2020 08:25:49 pm E. Liddell via tde-users wrote:
On Sat, 17 Oct 2020 19:01:08 -0500 Michael via tde-users ml-migration-agent@trinitydesktop.org wrote:
On Saturday 17 October 2020 06:45:43 pm Michael via tde-users wrote:
I need to match this one line in a Subject:
***SPAM*** lfd on srv07.srv07-inet-design.com: 93.174.93.68 (NL/Netherlands/-) blocked for port scanning
(the spam part is intermittent), based on these two pieces:
lfd on srvNN.srvNN-inet-design.com: NN = any two numerical digits only
-and- ‘) blocked for port scanning’
(Note: I didn't bother testing anything. Typos are unlikely, but possible.)
Assuming Kmail uses PCRE and not Posix regex, you can match the first chunk with:
lfd on srv\d\d.srv\d\d-inet-design.com
and the second with:
) blocked for port scanning$
(the $ confines that portion of the match to the end of the string). If I were trying to match the entire line, I'd probably use something like:
^[^a-z]*lfd on srv\d\d.srv\d\d-inet-design.com: \d\d?\d?.\d\d?\d?.\d\d?\d?.\d\d?\d? ([^)]+) blocked for port scanning$
Are there other messages about "blocked for port scanning" that you need to be sure you receive? If not, I'd just do a subject-contains filter using that string and forget about the regex.
Sadly, yes, when a client's user gets "blocked for port scanning" the phrase ends up in the Subject (to/from the client). Generally after I've found the block message I forward, and modify the Subject, but my existing rule is a subject-contains filter so then I have to go searching for client replies from the thousands of messages in the 'blocked' folder.
You can use kregexpeditor from kregexpeditor-trinity - it took me 3min to build the rules for each line with middle level regexp.
^.*srv[\d]{2,2}.srv[\d]{2,2}-inet-design.com.*$
^.*)\sblocked\sfor\sport\sscanning.*$
That is way cool! I pasted both of the expressions into kregexpeditor then fiddled with them to come up with:
^.*lfd on srv[\d]{2,2}.srv[\d]{2,2}-inet-design.com.*) blocked for port scanning$
I dropped the escaped spaces (\s) and used the repeat exactly two digits syntax, mostly because it made kregexpeditor’s pictograph look cleaner (in the vain theory that’d give better performance).
I wouldn’t have thought to use either a line start or a line end, but I’m guessing they both help to give better performance to the regex engine?
# # #
E., deloptes,
Thank you both so much, combined you’ve saved me hours of digging to get this to work. If either of you ever come through the Nashville area, I’ll buy you a beer/pastry/whatever your vice is! Well, that applies to basically everyone on this list, this has to be the best list I’ve ever been on…
Best Regards All, Michael