解析通过 last Received: from header 发送 IP 的电子邮件

Posted 2023-03-15

【中文标题】解析通过 last Received: from header 发送 IP 的电子邮件

【英文标题】：Parsing email sending IP via last Received: from header

【发布时间】：2016-10-22 07:43:28

【问题描述】：

我希望利用 Received: from 标头解析电子邮件标头中的最后一个 IP 地址。我正在寻找最后收到的：来自标头并识别任何 IP。我下面的代码似乎不起作用，因为收到的“等”中有许多特殊字符。我也遇到了 ip 可能不在同一行的问题。有没有办法轻松识别电子邮件标头中的最后一个发送 IP，它可能位于单独的行中？

这是我最初使用的：

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Text.RegularExpressions;
using System.Net;
using System.IO;

namespace IP

    class Program
    
        static void Main(string[] args)
        
            int counter = 0;
            string line;
            System.IO.StreamReader file =
                new System.IO.StreamReader("C:\\ip.txt");

            while ((line = file.ReadLine()) != null)
            
                const string x_orig_ip = "Received: from";
                line = line.Trim();
                if (line.StartsWith(x_orig_ip, StringComparison.OrdinalIgnoreCase))
                
                    string sIpAddress = line.Substring(x_orig_ip.Length, line.Length - x_orig_ip.Length).Trim(new char[]  ' ', '\t', '[', ']', '(', ')' );
                    var ipAddress = System.Net.IPAddress.Parse(sIpAddress);
                    Console.WriteLine(ipAddress);
                    counter++;
                
            

            Console.ReadLine();
        
    

所以从下面的标题中，我想通过最后收到的获取 101.123.148.12：来自条目：

Received: from test (subdomain.domain.com [192.168.0.1])
  Mon, 20 Jun 2016 10:46:57 -0400 (EDT)
Received: from test123 ([192.168.0.1])
  by test.test; Mon, 20 Jun 2016 10:46:57 -0400
Received: from test.engine.com (localhost [127.0.0.1])
  by test.testty.com (Postfix) with ESMTP id ABCDEF
  for <cpound@***.com>; Sun, 19 Jun 2016 09:06:35 -0400 (EDT)
Received: from test.message.com (localhost [127.0.0.1])
    by from test.message.com (Authentication) with ESMTP
    Sun, 19 Jun 2016 09:06:35 -0400  
Authentication-Results: 
    spf=none smtp.mailfrom= smtp.helo
Received-SPF: none
    (192.168.0.1: No applicable sender policy available)
Received: from 192.168.0.1 (unknown [192.168.0.1])
  by with SMTP
Received: from unknown (HELO localhost)
  by 101.123.148.12 with ESMTPA; Sun, 19 Jun 2016 10:00:20 -0300
X-Originating-IP: 101.123.148.12
From: test@test.net
To: cpound@***.com
Subject: Test
Date: Sun, 19 Jun 2016 09:56:41 -0300

【问题讨论】：

看看***.com/questions/1669797/… 老问题，不知道上面提到的库是否还在维护。

【参考方案1】：

你可以试试这个正则表达式：

var re = new RegEx(@"Received: (.|\n  )*([^\d](\d1,3\.\d1,3\.\d1,3\.\d1,3))+", RegExOptions.Multiline);
var matches = re.Matches(headers);
if(matches.Count>0)

   var group = matches[matches.Count-1].Groups[3];
   string ip = group.Captures[group.Captures.Count-1].Value;
   // do something with ip...

其中 headers 是保存所有标题的字符串变量（不仅仅是一行）。

它会将 Received 标头中的所有 IP 地址提取到捕获组 3 中。获取最后一个匹配项的最后一个捕获以获得您想要的。

请注意，您通常不会考虑 101.123.148.12，因为没有标头表明消息是从 101.123.148.12 收到的，而是消息是由 收到的，这是完全不同的。