postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: search message body

Re: search message body

From: Victor Duchovni <Victor.Duchovni_at_nospam>
Date: Tue Oct 12 2010 - 14:40:36 GMT
To: postfix-users@postfix.org

On Tue, Oct 12, 2010 at 09:47:44AM +0200, Tom Kinghorn wrote:

> Morning list.
>
> Apologies for the post.
>
> I have alot of queued mail and would like to know if it is possible to
> serach for a string in the body of mails which are queued?
>
> i.e, i would like to find the message-id's of all queued mail with
>
> "reply if we can work together"

If the message content is not base64 encoded, and this string is not
split across multiple message body lines, a simple "egrep -l" should
work.

Otherwise, you need to search for either the head or tail of this string,
(at least half is likely to be on a whole line). To find it in base64
encoded text, and assuming you have the text "case" (uppper/lower)
exactly right:

    $ echo "reply if we can work together" | openssl base64
    cmVwbHkgaWYgd2UgY2FuIHdvcmsgdG9nZXRoZXIK

    $ echo " reply if we can work together" | openssl base64
    IHJlcGx5IGlmIHdlIGNhbiB3b3JrIHRvZ2V0aGVyCg==

    $ echo " reply if we can work together" | openssl base64
    ICByZXBseSBpZiB3ZSBjYW4gd29yayB0b2dldGhlcgo=

then search for any of:

    cmVwbHkgaWYgd2UgY2
    FuIHdvcmsgdG9nZXRo
    cGx5IGlmIHdlIGNhbi
    B3b3JrIHRvZ2V0aGVy
    ZXBseSBpZiB3ZSBjYW
    4gd29yayB0b2dldGhl

via

    # egrep -l 'cmVwbHkgaWYgd2UgY2|FuIHdvcmsgdG9nZXRo|cGx5IGlmIHdlIGNhbi|B3b3JrIHRvZ2V0aGVy|ZXBseSBpZiB3ZSBjYW|4gd29yayB0b2dldGhl' queue-files

There may be some false positives and false negatives. More reliable
results require a full MIME parser, HTML decoder, ...

-- Viktor.