On Tue, Apr 26, 2022 at 03:59:36PM +0200, Matus UHLAR - fantomas wrote: > On 26.04.22 16:11, Henrik K wrote: > > Maybe a bit safer version that doesn't log huge strings and run wild > > > > full FOO /^(?=.*?\nContent-Type: > > message\/rfc822.{0,1024}?\nReceived:(?:[^\n]{1,100}\n\s{1,100}){0,3}[^\n]{0,100}\b1\.2\.3\.4\b)/s > > Doesn't this requires mime headers in specific order that may not be > fullfilled?
Well if you want to match rfc822 contents, it's Received: headers can only be after a rfc822 declaration. Other than that it's up to you to figure out, since there's no samples. Of course this doesn't replace a full parser, but as long as the stuff you receive doesn't vary much, there's no reason for it not to work.