I’m pretty new to regex matching, but have been pretty successful using it to identify and eliminate a lot of SPAM from an email address I’d like to keep, but has unfortunately gotten out to the SPAM-A-LOT universe. For years I’d look at the headers, find the original “from” IP address, figure out the range of IPs I needed to screen (for example, the whole range associated with some Vietnam server if I have not friends there). I would then create a regex string to match. For example, If I found something like this in the header…
[CODE]from [[COLOR=#444444]171.232.66.71] blah blah blag…
and the range of IPs was
[/COLOR]
[CODE]171.224.0.0 – 171.255.255.255
then I might catch it with a regex string like…
[CODE]from [171.(?:22[4-9]|2[3-5][0-9]).
Of course that’s not really complete, but it worked, and when a message fails I actually return a failure message offering a link to a mail form, in case some friendly email got mistakenly tagged.
So this was working for years, but something has recently changed in the headers I see in much of my spam. Now when i look at the headers I might see a similar IP address in one of the headers that looks something like this…
[CODE]from [email protected] ([[COLOR=#444444]171.232.66.71]) blah blah blag…
[/COLOR]
Apparently its some kind of authentication where the originating email is included in the FROM string. Well, I can easily alter my regex to handle either the “([” or the “[” case. I guess there are many ways but I could precede my IP address criteria with something like
[CODE
That would handle either “[” or “(” before the IP address. BUT, what I’d rather do is start by matching the literal “from”, and then ignore any number of characters until either the ‘[‘ or the ‘([‘ is found. That way, any header with an email authentication in the from field could still be “caught” regardless of what the email address is.
So the question is, how do you “IGNORE UNTIL” as my post title suggests…
MATCH (literal “from”)
IGNORE (any email address following) UNTIL (either “[” or “([“)
Its the “ignore until” operation that’s tripping me up.