0

I am looking to parse out the last IP address in email headers, utilizing the Received: from header. I am looking to find the last received: from header and identify any IP. My code below doesn't seem to work as there are many special characters in a received from, "{}, etc". I am also running in to issues in that the ip may not be on the same line. Is there a way to easily identify the last sending IP in an email's header, where it may be on a separate line?

This is what I'm working with initially:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Text.RegularExpressions;
using System.Net;
using System.IO;

namespace IP
{
    class Program
    {
        static void Main(string[] args)
        {
            int counter = 0;
            string line;
            System.IO.StreamReader file =
                new System.IO.StreamReader("C:\\ip.txt");

            while ((line = file.ReadLine()) != null)
            {
                const string x_orig_ip = "Received: from";
                line = line.Trim();
                if (line.StartsWith(x_orig_ip, StringComparison.OrdinalIgnoreCase))
                {
                    string sIpAddress = line.Substring(x_orig_ip.Length, line.Length - x_orig_ip.Length).Trim(new char[] { ' ', '\t', '[', ']', '(', ')' });
                    var ipAddress = System.Net.IPAddress.Parse(sIpAddress);
                    Console.WriteLine(ipAddress);
                    counter++;
                }
            }

            Console.ReadLine();
        }
    }
}

So from the headers below, I'd like to get 101.123.148.12 via the last received: from entry:

Received: from test (subdomain.domain.com [192.168.0.1])
  Mon, 20 Jun 2016 10:46:57 -0400 (EDT)
Received: from test123 ([192.168.0.1])
  by test.test; Mon, 20 Jun 2016 10:46:57 -0400
Received: from test.engine.com (localhost [127.0.0.1])
  by test.testty.com (Postfix) with ESMTP id ABCDEF
  for <cpound@stackoverflow.com>; Sun, 19 Jun 2016 09:06:35 -0400 (EDT)
Received: from test.message.com (localhost [127.0.0.1])
    by from test.message.com (Authentication) with ESMTP
    Sun, 19 Jun 2016 09:06:35 -0400  
Authentication-Results: 
    spf=none smtp.mailfrom= smtp.helo
Received-SPF: none
    (192.168.0.1: No applicable sender policy available)
Received: from 192.168.0.1 (unknown [192.168.0.1])
  by with SMTP
Received: from unknown (HELO localhost)
  by 101.123.148.12 with ESMTPA; Sun, 19 Jun 2016 10:00:20 -0300
X-Originating-IP: 101.123.148.12
From: test@test.net
To: cpound@stackoverflow.com
Subject: Test
Date: Sun, 19 Jun 2016 09:56:41 -0300
cpound
  • 85
  • 2
  • 12
  • Have a look at http://stackoverflow.com/questions/1669797/are-there-net-framework-methods-to-parse-an-email-mime Old question, not sure if the mentioned libraries are still maintained. – Eric J. Jun 20 '16 at 22:37

1 Answers1

1

You can try this regex:

var re = new RegEx(@"Received: (.|\n  )*([^\d](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))+", RegExOptions.Multiline);
var matches = re.Matches(headers);
if(matches.Count>0)
{
   var group = matches[matches.Count-1].Groups[3];
   string ip = group.Captures[group.Captures.Count-1].Value;
   // do something with ip...
}

where headers is the string variable holding all the headers (not just a single line).

It will will extract all IP addresses in Received headers into capture group 3. Take the last capture of the last match to get what you want.

Note that you would not normally consider 101.123.148.12 as there is no header indicating that the message was received from 101.123.148.12, rather the message was received by, which is entirely different.

P. Kouvarakis
  • 1,893
  • 12
  • 21