RegEx match IP on Mail-Header Received: - regex

I try to fiddle a RegEx, which returns me only the Sender IP Address:
http://regexr.com?38atl
This is the RegEx I build, but cant complete:
(?<=\bReceived: from .*\[)(?:\d{1,3}\.){3}\d{1,3}
or
(?<=\bReceived: from )(.*\[)(?:\d{1,3}\.){3}\d{1,3}
So it should only match this (on lines beginning with: Received: from)
127.0.0.1
127.0.0.1
21.22.23.24
And this are a example Mail-Headers i'm search in:
To: a#domain.de
Return-Path: <t#domain.de>
X-Original-To: a#domain.de
Delivered-To: c#domain.tld
Received: from localhost (localhost [127.0.0.1])
by mail1.domain.tld (Postfix) with ESMTP id 3fT3TR72zNz8m8
for <a#domain.de>; Tue, 18 Feb 2014 14:54:35 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail1.domain.tld
X-Spam-Flag: YES
X-Spam-Score: 5.773
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.773 tagged_above=1 required=4.5
tests=[BAYES_05=-0.5, MISSING_MID=0.497, RCVD_IN_PBL=3.335,
RCVD_IN_RP_RNBL=1.31, RDNS_DYNAMIC=0.982, TO_NO_BRKTS_DYNIP=0.139,
T_RCVD_IN_SEMBLACK=0.01] autolearn=no
Received: from mail1.domain.tld ([127.0.0.1])
by localhost (mail1.domain.tld [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id lDJqiZjBn2t4 for <a#domain.de>;
Tue, 18 Feb 2014 14:54:34 +0100 (CET)
Received: from mail.domain.tld (pAAAAAAAA.dip0.t-ipconnect.de [21.22.23.24])
by mail1.domain.tld (Postfix) with SMTP id 3fT3TQ4Nwgz8m5
for <a#domain.de>; Tue, 18 Feb 2014 14:54:34 +0100 (CET)
Date: Tue, 18 Feb 2014 15:02:11 +0100
Sender: "From" <t#domain.de>
From: "From" <t#domain.de>
Subject: Subbbb (192.168.123.123)
Reply-To: t#domain.de
MIME-Version: 1.0
Content-type: text/plain; charset=UTF-8
Message-Id: <3fT3TR72zNz8m8#mail1.domain.tld>

Try this expression:
Received: +from[^\n]*?\[([0-9\.]+)\]
Edit:
For a PHP script try something like this (where $emailHeader contains the data you are searching):
$regex = '/Received: +from[^\\n]*?\\[([0-9\\.]+)\\]/s';
if (preg_match_all($regex, $emailHeader, $matches_out)) {
print_r($matches_out);
} else {
print('Sender IP not found');
}

The <= in the star looks funny, but other than that it seems to be working fine:
(?:\bReceived: from .*\[)((\d{1,3}\.){3}\d{1,3})(?:]\))

I believe what you're looking for is:
(?:\bReceived: from .*?\[)(?<ip>(?:\d{1,3}\.){3}\d{1,3})
the matched IP address will be in capture group named "ip".

Related

AWS APIGateway Integration Response Mapping Templates do not switch correctly based on Content-Type

I am experimenting with an AWS API-Gateway integration with an S3 backend. I have noticed the switch between different mapping-templates in the integration-response does not appear to work.
In integration-response, I have the following mapping templates:
application/json:
{
type: "JSON",
body: "$input.body"
}
text/plain:
PlainText:
$input.body
Nothing I can do appears to be able to make the text/plain mapping template to be used - it always uses application/json.
I would expect that the text/plain mapping template to be used based on one of the following being true:
S3 returns content with Content-Type: text/plain.
The initial request to API-Gateway passes an Accept: text/plain header.
As per the example below, S3 returns a Content-Type: text/plain AND I request with Accept: text/plain. API-Gateway correctly responds with Content-Type: text/plain also.
However the application/json template is still used to transform the body.
I have even removed application/json as a valid response type from the method-response entirely, but still nothing.
Any thoughts why this is happening?
FYI I am using a classic v1 ApiGateway (Rest).
Execution log for request c24cfce3-2cf3-4693-ad72-4fdf44f4fdcd
Wed May 19 17:13:38 UTC 2021 : Starting execution for request: c24cfce3-2cf3-4693-ad72-4fdf44f4fdcd
Wed May 19 17:13:38 UTC 2021 : HTTP Method: GET, Resource Path: /feeds-poc/test.txt
Wed May 19 17:13:38 UTC 2021 : Method request path: {filename=test.txt}
Wed May 19 17:13:38 UTC 2021 : Method request query string: {}
Wed May 19 17:13:38 UTC 2021 : Method request headers: {Accept=text/plain}
Wed May 19 17:13:38 UTC 2021 : Method request body before transformations:
Wed May 19 17:13:38 UTC 2021 : Endpoint request URI: https://my-bucket-id.s3.eu-west-1.amazonaws.com/test.txt
Wed May 19 17:13:38 UTC 2021 : Endpoint request headers: {Authorization=****57173a, X-Amz-Date=20210519T171338Z, x-amzn-apigateway-api-id=123456789a, Accept=application/json, User-Agent=AmazonAPIGateway_123456789a, X-Amz-Security-Token=**** [TRUNCATED]
Wed May 19 17:13:38 UTC 2021 : Endpoint request body after transformations:
Wed May 19 17:13:38 UTC 2021 : Sending request to https://my-bucket-id.s3.eu-west-1.amazonaws.com/test.txt
Wed May 19 17:13:38 UTC 2021 : Received response. Status: 200, Integration latency: 43 ms
Wed May 19 17:13:38 UTC 2021 : Endpoint response headers: {x-amz-id-2=****, x-amz-request-id=****, Date=Wed, 19 May 2021 17:13:39 GMT, Last-Modified=Mon, 17 May 2021 16:45:13 GMT, ETag="420f804aa21220bf0db57bb4b9799c8a", Accept-Ranges=bytes, Content-Type=text/plain, Content-Length=13, Server=AmazonS3}
Wed May 19 17:13:38 UTC 2021 : Endpoint response body before transformations: It's working
Wed May 19 17:13:38 UTC 2021 : Method response body after transformations: {
type: "JSON",
body: "It's working
"
}
Wed May 19 17:13:38 UTC 2021 : Method response headers: {X-Amzn-Trace-Id=Root=****, Content-Type=text/plain}
Wed May 19 17:13:38 UTC 2021 : Successfully completed execution
Wed May 19 17:13:38 UTC 2021 : Method completed with status: 200
AWS Support confirmed to me that the switch is based on the original request Accept header. Testing this using Postman confirms this functionality.
The test tools built into the AWS console for API-Gateway however do not appear to cater for testing response mapping templates - from AWS support: the purpose of API Gateway test console is only to test the Integration, it doesn't work for end-to-end request.

Why isn't booliean expression working

I am using the following regular expression to filter some junk emails
\bNeotube\b | \bNeotubeTV\b
Here is a sample of the junk email header:
Return-path: <uranus#pschic.info>
Envelope-to: coben#jesusmylord.org
Delivery-date: Thu, 25 May 2017 14:18:58 +0200
Received: from [45.59.120.18] (port=30375 helo=pschic.info)
by ok1057.kvchosting.com with esmtp (Exim 4.89)
(envelope-from <uranus#pschic.info>)
id 1dDrj8-0002X1-Se
for coben#jesusmylord.org; Thu, 25 May 2017 14:18:58 +0200
From: "NeotubeTV" <uranus#pschic.info>
Date: Thu, 25 May 2017 06:58:18 -0500
MIME-Version: 1.0
Subject: Free TV shows, Sports and New Movies on your TV In HD?
To: <coben#jesusmylord.org>
Message-ID: `
The above expression does not work. However, if I just use
\bNeotubeTV\b
the email is filtered. Why doesn't the above OR statement work?
Thanks for your help.
Chris
It's because you have spaces around the | which is saying that you want include those spaces in your regex.

shell script: get server info from curl

i need some help getting the server info from a curl call done in a shell script.
In my script, I iterate over several URLs in a list and do a cURL on each URL.
But I struggle getting the server information as it is not in a static position of the result of cURL.
>curl -I -s $temp
where, $temp is some arbitrary URL, e.g. example.org
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Mon, 03 Feb 2014 14:35:39 GMT
Etag: "359670651"
Expires: Mon, 10 Feb 2014 14:35:39 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (iad/19AB)
X-Cache: HIT
x-ec-custom-error: 1
Content-Length: 1270
Above the result for example.org.
Question: how do I extract the part where it says server?
The result should be such that
>echo $server
will yield (so basically the entire rest of the line after the "Server: ")
ECS (iad/19AB)
Thanks a bunch!
Using awk:
server=$(curl -I -s http://example.org | awk -F': ' '$1=="Server"{print $2}')
echo "$server"
ECS (cpm/F858)
OR else you can use grep -oP:
server=$(curl -I -s http://example.org | grep -oP 'Server: \K.+')
echo "$server"
ECS (cpm/F858)

Email header showing, dkim=hardfail (test mode) and dkim=permerror (bad sig)

I am trying to write an email client application by c++ and OpenSSL..
When I am checking and sending email through this application then Gmail and Yahoo both are showing wrong in my email header..
Gmail showing > "dkim=hardfail (test mode) header.i=#".
Yahoo showing > "dkim=permerror (bad sig)".
My Email header for Gamil :
Delivered-To: rajforever6#gmail.com
Received: by 10.112.41.134 with SMTP id f6csp80981lbl;
Tue, 26 Mar 2013 02:25:15 -0700 (PDT)
X-Received: by 10.68.59.199 with SMTP id b7mr22705642pbr.167.1364289914515;
Tue, 26 Mar 2013 02:25:14 -0700 (PDT)
Return-Path: <no_feed#korcot.info>
Received: from smtp.korcot.info ([103.18.168.250])
by mx.google.com with SMTP id ak6si16720576pbd.344.2013.03.26.02.25.08;
Tue, 26 Mar 2013 02:25:14 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning no_feed#korcot.info does not designate 103.18.168.250 as permitted sender) client-ip=103.18.168.250;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning no_feed#korcot.info does not designate 103.18.168.250 as permitted sender) smtp.mail=no_feed#korcot.info;
dkim=hardfail (test mode) header.i=#korcot.info
Date: Tue, 26 Mar 2013 02:25:14 -0700 (PDT)
DKIM-Signature: v=1;
a=rsa-sha256;
s=mail;
d=korcot.info;
t=1364289917;
c=relaxed/relaxed;
h=from:to:subject:message-id:mime-version:content-type;
bh=Q3K/t162lFKWTLs4xBY2FR1vT5pThpI6rnqM7i6p/Vo=;
b=Tgrc2nelY/3HA0M14s4RXFvhonXQzFRtDAD/X/0ITvln6JSWjIxgQSX7WOrfAxb4K
kTXV+Bbw6DKK+2aVi2WrCYdduP5wXJpTVnjaCJQTs2+DtAo3sL1re6tz3uHOpa0PmRS
3qRzfXQqN8QczOv63UjAGO6sL+o5atU3vbRYMxg=
From: "Comfirm"<no_feed#korcot.info>
To: "Kuntal"<rajforever6#gmail.com>
Subject: Key6gg6 ?
Message-ID: <20030712040037.46341.5F8J#football.korcot.info>
MIME-Version: 1.0
Content-Type: text/html
My Email header for Yahoo :
From Comfirm Wed Mar 27 02:26:20 2013
X-Apparently-To: raja_kuntal_majumder#yahoo.com via 106.10.150.84; Tue, 26 Mar 2013 11:26:20 -0700
Return-Path: <no_feed#korcot.info>
Received-SPF: softfail (transitioning domain of korcot.info does not designate 103.18.168.135 as permitted sender)
bm5lciByZWFkeSBJcyBkaW5uZXIgcmVhZHkgSXMgZGlubmVyIHJlYWR5IElz
IGRpbm5lciByZWFkeSBJcyBkaW5uZXIgcmVhZHkgPyBKb2UuIAEwAQEBAQ--
X-YMailISG: v3YQap0WLDt5n8clVc4Zd9ENB5oCUMcfvdmbG1QujbCK18hQ
nhRHHgRhlvqfyO8lOyt.Rwjm8Y1_i35XTte6Pt.JxYeVZXQtQqLe66qLvndr
_RhG.PTZE2AWeRN.tMHi.aAIcS9WfKzOzi9i3tYtSSzZMPBMlBwFu5hBV4qI
v3KO9LCaMGeCe3W4mLsxgbkdddDi_8r8afEb7jAUKVn8i2VyRaJQGELdL5xb
.lNzJ0h_vMs5HseAhRPefe.o9W4A_oMpcairIa9OfDkC3zmZWYbyntXcxNgi
uKtvTwaqyeuUvuyIxrRGlpUy8RFxRaLOlp6s8riVCfLyu1dEE6Bpa9KFlVa0
JtRm0XZ3znl2WBzw1PnHskYZ3X2SHrzz8q7LfmUETa7idziLtkLNqdzZbvJE
nnoc3W3aYmxkgZob25oRD8Q338f9774TfJMjeqTaQLbmMflOW5GqoPYneB0v
hKqmdYUcqeZpVfcRXBVSxzS2_lK7spwOJX_wXKAH5TbiRXORouWvbkw9EHgc
yxqKoTQAqpnc8ibxcfT9cmVQ2KXYXlrl7d0VotpJ.m8I0sMY0mTviVkt6vCI
FJUYScRuGMxjOaYqyURUU5mDM_bxQXRl1WFzEhYBQKsyMOhZVtBBrPyEsCLs
NHASPNKPUS7wuB712WAI3aMqTNV.kNize8nwrm.hj9f9fb2nJwcB.IvuQvKx
Ujd9Pq68B9u80Wd8gtp5rAIy7.B_0x6JHwK14fDWgh1Yr7k1PB8A_daUJh.G
d2f4rgY0CFbg3chmWC7O5AGvODB79.pFfkl8ooZsUpYqdsj5.KX5XLQjsfud
JCsO1870Gtty31aPGvSHRPDGOTJ_lQ6v25BMaCnGS8AtvYbtjW9avY0MHTJw
rnT0_Hzca6oXayZG0CCcvQ6CMd.UnOlIt4pFEWwd9Zlo5BIJ4hd9N99qMbul
mGgNYVRBc0f7DokmkLiHSI29k34ifNyh8Z1qbeKWTRo4FXDBa.vfc9cVWqpp
DVF8FbkpuThc7QJ63cszp98TCdZy2Bq5yOMrqEdK85e141MndRChrWmjUplJ
4e_UWqNmaL17cGPzXuJc3TAD3nsdK9qh1ax.9K.jkRwSm4zgWscqosCPAgOJ
lIOo3L3QScOP9iQ6xOfuzm7dxw44Z3WBHMthoOgw_MGt488EClyDr2PiJT.f
1_BklnxGS2iuYH2TLyY69ESKE0Y4pPGmaboLASqBQkQZ6xaoFM8HDoIB20zK
KrNadXnlkMW.t6RuIcaPX3fOrKzvnKPerZ3NA1kn
X-Originating-IP: [103.18.168.135]
Authentication-Results: mta1360.mail.bf1.yahoo.com from=korcot.info; domainkeys=neutral (no sig); from=korcot.info; dkim=permerror (bad sig)
Received: from 127.0.0.1 (HELO smtp.korcot.info) (103.18.168.135)
by mta1360.mail.bf1.yahoo.com with SMTP; Tue, 26 Mar 2013 11:26:19 -0700
DKIM-Signature: v=1;
a=rsa-sha256;
s=mail;
d=korcot.info;
t=1364322363;
c=relaxed/simple;
h=from:to:subject:mime-version:content-type;
bh=Q3K/t162lFKWTLs4xBY2FR1vT5pThpI6rnqM7i6p/Vo=;
b=THj4wE+EOSKThXGIUPBgcTlWTICIDFikgEvlQVpBotViQTNW+k/dpr58kVZ1HAght
KTdACtbEO2m3A17vxrY1kEQazhwu7pbWIW5TwBfUtIU9SbFBL88AQz2fxxi6BHqEfNh
WYeGG0mEskG9J2JFeNVG0WaaNJ9gTh5t/4nqvVc=
From: "Comfirm" <no_feed#korcot.info>
To: "Kuntal" <raja_kuntal_majumder#yahoo.com>
Subject: Key6gg6 ?
MIME-Version: 1.0
Content-Type: text/html
Content-Length: 287
My TXT records in DNS(godaddy.com) :
# >>>> v=spf1 a mx mx:smtp.korcot.info ip4:103.18.168.250 ~all
mail._domainkey >>>> k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjKsxH3Hb8UrNZ+Aar7GfJ30dcbS19i+89JA8SSlDEhsFfTAR9UZIolxKtD3HgPzhWGfcoLkQg28NS/Y3tT/WTvfXxryDyFRIbKJox6VbVmmvSmATsik1l2YQSkTTpeHX6nzxgzRwDVvmLfZBZBbO3n+y0YNTucOUsfNFYCL/UAwIDAQAB
_domainkey >>>> t=y; o=~;
Really I don't have knowledge why Gmail and Yahoo showing "dkim=hardfail (test mode) header.i=#" and "dkim=permerror (bad sig)", both header should be "dkim=pass (ok)"..
So please give me advice.
Please tell me what should I do to solve this problem..
Thanks...
You didn't mention whether you are using a standard library to calculate the DKIM signature, or have done your own. I strongly recommend OpenDKIM as a good library to use if you aren't already.
Another place to test is to send a message to the mail reflector at sa-test#sendmail.net. It may give you more diagnostic information.
You should check the header fields that are signed (From, To, Subject, Mime-Version, and Content-Type) between what you sent originally and what was received. Some mailers "helpfully" rewrite these header fields, breaking the signature in the process. For example, it could have signed no_feed#smtp.korcot.info and subsequently changed it to no_feed#korcot.info.

Filter SIP Messages from log file

I work with VoIP solutions as a day to day job. I often get SIP messages debugs from devices I manage. Most of the times however, those logs contain more calls than I require to analyze, so it would be great if I could filter them out.
I want a tool that can, if I give it a log file and the Call-Id's I need, filter the log file to include only those SIP messages.
Unfortunately, SIP messages are more than one line, so my experience with grep is not sufficient to get it to work.
I started to program something in Perl for this, but any further than checking if I had the proper amount of parameters I didn't get. Is Perl the best language to go about this? I have included a part of the input here:
Jan 28 11:39:37.525 CET: //1393628/D5CC0586A87B/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.218.16.2:5060;branch=z9hG4bKB22001ED5
From: "Frankeerapparaat Secretariaat" <sip:089653717#10.210.2.49>;tag=E7E0EF64-192F
To: <sip:022046187#10.210.2.49>;tag=25079324~19cc0abf-61d9-407f-a138-96eaffee1467-27521338
Date: Mon, 28 Jan 2013 10:39:32 GMT
Call-ID: D5CCA1AE-686D11E2-A881ED01-8DFA6D70#10.218.16.2
CSeq: 102 INVITE
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
Allow-Events: presence
Supported: replaces
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Session-Expires: 1800;refresher=uas
Require: timer
P-Preferred-Identity: <sip:022046187#10.210.2.49>
Remote-Party-ID: <sip:022046187#10.210.2.49>;party=called;screen=no;privacy=off
Contact: <sip:022046187#10.210.2.49:5060>
Content-Type: application/sdp
Content-Length: 209
v=0
o=CiscoSystemsCCM-SIP 2000 1 IN IP4 10.210.2.49
s=SIP Call
c=IN IP4 10.210.2.1
t=0 0
m=audio 16844 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=ptime:20
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
Jan 28 11:39:37.529 CET: //1393628/D5CC0586A87B/SIP/Msg/ccsipDisplayMsg:
Sent:
ACK sip:022046187#10.210.2.49:5060 SIP/2.0
Via: SIP/2.0/UDP 10.218.16.2:5060;branch=z9hG4bKB2247150A
From: "Frankeerapparaat Secretariaat" <sip:089653717#10.210.2.49>;tag=E7E0EF64-192F
To: <sip:022046187#10.210.2.49>;tag=25079324~19cc0abf-61d9-407f-a138-96eaffee1467-27521338
Date: Mon, 28 Jan 2013 10:39:36 GMT
Call-ID: D5CCA1AE-686D11E2-A881ED01-8DFA6D70#10.218.16.2
Max-Forwards: 70
CSeq: 102 ACK
Authorization: Digest username="Genk_AC_1",realm="infraxnet.be",uri="sip:022046187#10.210.2.49:5060",response="9546733290a96d1470cfe29a7500c488",nonce="5V/Jt8FHd5I8uaoahshiaUud8O6UujJJ",algorithm=MD5
Allow-Events: telephone-event
Content-Length: 0
Jan 28 11:39:37.529 CET: //1393627/D5CC0586A87B/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.8.11:5060;branch=z9hG4bK24ecaaaa6dbd3
From: "Frankeerapparaat Secretariaat" <sip:3717#192.168.8.11>;tag=e206cc93-1791-457a-aaac-1541296cf17c-29093746
To: <sip:022046187#192.168.8.28>;tag=E7E0F8A4-EA3
Date: Mon, 28 Jan 2013 10:39:32 GMT
Call-ID: fedc8f80-10615564-45df0-b08a8c0#192.168.8.11
CSeq: 101 INVITE
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Remote-Party-ID: <sip:022046187#192.168.8.28>;party=called;screen=no;privacy=off
Contact: <sip:022046187#192.168.8.28:5060>
Supported: replaces
Supported: sdp-anat
Server: Cisco-SIPGateway/IOS-15.3.1.T
Session-Expires: 1800;refresher=uas
Require: timer
Supported: timer
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 247
v=0
o=CiscoSystemsSIP-GW-UserAgent 7276 9141 IN IP4 192.168.8.28
s=SIP Call
c=IN IP4 192.168.8.28
t=0 0
m=audio 30134 RTP/AVP 8 101
c=IN IP4 192.168.8.28
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
The program I envision would take 2 or more arguments: the log file and then any amount of Call-ID's of calls I am interested in. It would then filter out only the relevant messages and print it to stdout.
Note that a single SIP message may include a blank line. The next message starts only when a new timestamp is shown.
Perhaps the following will be helpful:
use strict;
use warnings;
my %callIDs = map { $_ => 1 } splice #ARGV, 1, #ARGV - 1;
my $recordPrinted;
local $/ = '';
while (<>) {
if ( /Call-ID:\s+(.+)/ and $callIDs{$1} ) {
$recordPrinted = 1;
print;
next;
}
print if $recordPrinted and /\brtpmap\b/;
$recordPrinted = 0;
}
Usage: perl scriptName.pl logFile callID [callID]
When you send a script parameters, they end up in #ARGV. The splice takes (and removes) the elements from 1 on to build a hash's keys. The zeroth element is the log file name.
local $/ = ''; sets paragraph mode, i.e., a whole chunk of text separated by blank lines is read at a time. The regex captures the Call-ID and if a key exists for that ID, the line is printed. Also, a flag is set to indicate that a 'record' has been printed, since there may be another 'chunk' to that record.
If a record's been printed and a field is found that occurs in a second part of the record (rtpmap), that chunk is printed.
Try this
if ($subject =~ m/(?im)(Call-ID: (.+))$/) {
$result = $2;
} else {
$result = "";
}