Hi All,
Yeah, I don’t have a decent grasp on regex, but I need one (I think) for a KMail filter. I need to match this one line in a Subject:
***SPAM*** lfd on srv07.srv07-inet-design.com: 93.174.93.68 (NL/Netherlands/-) blocked for port scanning
(the spam part is intermittent), based on these two pieces:
‘lfd on srv07.srv07-inet-design.com:’ -and- ‘) blocked for port scanning’
Is there a way to do that without regex? If not, anyone know a solution off the top of their head? Or a really good guide to regex (that doesn’t make your head swim)?
Best, Michael
On Saturday 17 October 2020 06:45:43 pm Michael via tde-users wrote:
Hi All,
Yeah, I don’t have a decent grasp on regex, but I need one (I think) for a KMail filter. I need to match this one line in a Subject:
***SPAM*** lfd on srv07.srv07-inet-design.com: 93.174.93.68 (NL/Netherlands/-) blocked for port scanning
(the spam part is intermittent), based on these two pieces:
‘lfd on srv07.srv07-inet-design.com:’
Edit: lfd on srvNN.srvNN-inet-design.com:
NN = any two numerical digits only
-and- ‘) blocked for port scanning’
Is there a way to do that without regex? If not, anyone know a solution off the top of their head? Or a really good guide to regex (that doesn’t make your head swim)?
Best, Michael
On Sat, 17 Oct 2020 19:01:08 -0500 Michael via tde-users ml-migration-agent@trinitydesktop.org wrote:
On Saturday 17 October 2020 06:45:43 pm Michael via tde-users wrote:
Hi All,
Yeah, I don’t have a decent grasp on regex, but I need one (I think) for a KMail filter. I need to match this one line in a Subject:
***SPAM*** lfd on srv07.srv07-inet-design.com: 93.174.93.68 (NL/Netherlands/-) blocked for port scanning
(the spam part is intermittent), based on these two pieces:
‘lfd on srv07.srv07-inet-design.com:’
Edit: lfd on srvNN.srvNN-inet-design.com:
NN = any two numerical digits only
(Note: I didn't bother testing anything. Typos are unlikely, but possible.)
Assuming Kmail uses PCRE and not Posix regex, you can match the first chunk with:
lfd on srv\d\d.srv\d\d-inet-design.com
and the second with:
) blocked for port scanning$
(the $ confines that portion of the match to the end of the string). If I were trying to match the entire line, I'd probably use something like:
^[^a-z]*lfd on srv\d\d.srv\d\d-inet-design.com: \d\d?\d?.\d\d?\d?.\d\d?\d?.\d\d?\d? ([^)]+) blocked for port scanning$
-and- ‘) blocked for port scanning’
Is there a way to do that without regex? If not, anyone know a solution off the top of their head? Or a really good guide to regex (that doesn’t make your head swim)?
Are there other messages about "blocked for port scanning" that you need to be sure you receive? If not, I'd just do a subject-contains filter using that string and forget about the regex.
(I use regexes a lot in my day job, so I'm the last person to ask about gentle introductions to the topic—I usually go straight to the perlre manpage if there's something I need to look up.)
E. Liddell
--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting
On Sunday 18 October 2020 01:50:33 am deloptes via tde-users wrote: On Saturday 17 October 2020 08:25:49 pm E. Liddell via tde-users wrote:
On Sat, 17 Oct 2020 19:01:08 -0500 Michael via tde-users ml-migration-agent@trinitydesktop.org wrote:
On Saturday 17 October 2020 06:45:43 pm Michael via tde-users wrote:
I need to match this one line in a Subject:
***SPAM*** lfd on srv07.srv07-inet-design.com: 93.174.93.68 (NL/Netherlands/-) blocked for port scanning
(the spam part is intermittent), based on these two pieces:
lfd on srvNN.srvNN-inet-design.com: NN = any two numerical digits only
-and- ‘) blocked for port scanning’
(Note: I didn't bother testing anything. Typos are unlikely, but possible.)
Assuming Kmail uses PCRE and not Posix regex, you can match the first chunk with:
lfd on srv\d\d.srv\d\d-inet-design.com
and the second with:
) blocked for port scanning$
(the $ confines that portion of the match to the end of the string). If I were trying to match the entire line, I'd probably use something like:
^[^a-z]*lfd on srv\d\d.srv\d\d-inet-design.com: \d\d?\d?.\d\d?\d?.\d\d?\d?.\d\d?\d? ([^)]+) blocked for port scanning$
Are there other messages about "blocked for port scanning" that you need to be sure you receive? If not, I'd just do a subject-contains filter using that string and forget about the regex.
Sadly, yes, when a client's user gets "blocked for port scanning" the phrase ends up in the Subject (to/from the client). Generally after I've found the block message I forward, and modify the Subject, but my existing rule is a subject-contains filter so then I have to go searching for client replies from the thousands of messages in the 'blocked' folder.
You can use kregexpeditor from kregexpeditor-trinity - it took me 3min to build the rules for each line with middle level regexp.
^.*srv[\d]{2,2}.srv[\d]{2,2}-inet-design.com.*$
^.*)\sblocked\sfor\sport\sscanning.*$
That is way cool! I pasted both of the expressions into kregexpeditor then fiddled with them to come up with:
^.*lfd on srv[\d]{2,2}.srv[\d]{2,2}-inet-design.com.*) blocked for port scanning$
I dropped the escaped spaces (\s) and used the repeat exactly two digits syntax, mostly because it made kregexpeditor’s pictograph look cleaner (in the vain theory that’d give better performance).
I wouldn’t have thought to use either a line start or a line end, but I’m guessing they both help to give better performance to the regex engine?
# # #
E., deloptes,
Thank you both so much, combined you’ve saved me hours of digging to get this to work. If either of you ever come through the Nashville area, I’ll buy you a beer/pastry/whatever your vice is! Well, that applies to basically everyone on this list, this has to be the best list I’ve ever been on…
Best Regards All, Michael
Michael via tde-users wrote:
Hi All,
Yeah, I don’t have a decent grasp on regex, but I need one (I think) for a KMail filter. I need to match this one line in a Subject:
***SPAM*** lfd on srv07.srv07-inet-design.com: 93.174.93.68 (NL/Netherlands/-) blocked for port scanning
(the spam part is intermittent), based on these two pieces:
‘lfd on srv07.srv07-inet-design.com:’ -and- ‘) blocked for port scanning’
Is there a way to do that without regex? If not, anyone know a solution off the top of their head? Or a really good guide to regex (that doesn’t make your head swim)?
You can use kregexpeditor from kregexpeditor-trinity - it took me 3min to build the rules for each line with middle level regexp.
^.*srv[\d]{2,2}.srv[\d]{2,2}-inet-design.com.*$
^.*)\sblocked\sfor\sport\sscanning.*$
--------------------------------------------------------------------- To unsubscribe, e-mail: trinity-users-unsubscribe@lists.pearsoncomputing.net For additional commands, e-mail: trinity-users-help@lists.pearsoncomputing.net Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/ Please remember not to top-post: http://trinity.pearsoncomputing.net/mailing_lists/#top-posting
-
deloptes -
E. Liddell
-
Michael