Tordex Community

Full Version: Mail Monitor: regular expressions - Queries / Submissions
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all. Smile

I thought I'd start a thread where queries about the use of regular expressions in the creation of filter rules could be posted.
It could also be used to share cool regular expressions rules that are found to work well with spam. Wink
Submitted regular expression.

If the subject contains regular expression:
This will flag all the annoying spam that have a subject containing 2 or more consecutive spaces, like:
"Hello stranger    r673atvu"
"Goods news  
Submitted regular expression.

Sometimes, spammers replace the letter "i" by the number "1", specially in words spam-killers would easily catch.
In such cases, you can use a regular expression similar to the following one. Wink

Subject contains regular expression:
This will flag "viagra" as well as "v1agra". Smile
Submitted regular expression.

This one is similar to the previous regular expression, but will catch even more spam. Smile

Subject contains regular expression:
This will flag "viagra", "v1agra", "v|agra", "v;agra", "v:agra", "vagra", etc etc.
Basically, anything containing the word "viagra" where the "i" might have been replaced by any printable character or simply removed. Wink
Submitted regular expression.

Very useful, this regular expression will flag emails that do not have at least one two-letter word in their subject. Smile

Subject does not contain regular expression:
This will flag "a", "c2", "d f", etc etc.
I tested the expression v[[:print:]]?agra and s[[:print:]]?xual and both work very well.

I don't have any experience in programming so if you have others then please post them.

Thank you for making these.
"Thank you for making these."

You're welcome. Smile

I don't have much experience with regular expressions either, which is why I thought it could be useful to share my victories in the war against spam. Wink

I only wish more TLB/Mail Monitor users would participate to the forums.
It would give it more of a community feel. ???
Submitted regular expression.

Today I have received an email where the spammer used another trick, using a space to replace a character:
"V agra"
I had to change the regular expression I previously submitted.

Subject contains regular expression:
This will flag "v agra", "vi agra", "viagra", "v1agra", "v|agra", "v;agra", "v:agra", "vagra", etc etc.
Submitted regular expression.

This is a condition that mixes regular expression with "standard" text comparison.
I find it very usefull to flag spam that have a string of recipients (it could be in the "To" or "Cc" field), sharing the same ISP in their email address.
Ex: "To:;;;...".

"To" (or Cc) contains (my address):
And "To" contains regular expression:
Basically, it says, if the "To" contains my address, and also contains another "" address where the last letter before the "@" is not "s" (the last letter in my name), flag the message.

This can be applied to the "Cc", but also to both the "To" and "Cc" (unless you use a very common address, in which case this could be a genuine email, also sent to a friend with the same ISP).

"To" contains (my address):
And "Cc" contains regular expression:

"To" contains regular expression:
And "Cc" contains (my address):
Useful Condition

Not a regular expression, but very simple and useful.
If the "To" contains none of your addresses and the "Cc" is not present, flag it.

"To" does not contain:
And "To" does not contain:
And "To" does not contain:
And "Cc" is not present.

When using conditions like this one, I normally flag it as a "Deletion Test", until I am happy it will not flag genuine messages (I then choose to have the flagged messages automatically deleted).
If it does, I simply tweak the condition.
But it could safely be flagged as spam. Wink
Submitted regular expression.

Sometimes, it looks like the subject of spam messages has been randomly created, i.e "wtsyuw", "ptrvwik", etc etc.
It is fairly tricky to catch them all just using the subject field, but here is a simple condition to flag the ones that do not contain a vowel ("kndwvw", "zxtcx",...)

If the subject does not contain regular expression:
If the subject doesn't contain at least one "a", "e", "i", "o", "u", or "y", it will be flagged. Wink
To == Yuri <yuri@our-domain> — live people address me by first name AND last name, or by e-mail address ONLY.

To == "Yuri" <yuri@our-domain> — ditto.

From =~ [[:digit:]]+@((aol)|(hotmail))\.com — this is for those "Make your own DVDs".

To contains @www.our-domain — live people write to @our-domain, even though <!-- w --><a class="postlink" href="http://www.our-domain">www.our-domain</a><!-- w --> and our-domain both resolve to the same IP address.

X-Authentication-Warning contains "claimed to be our-domain" — “A stranger came and told me that he is myself but he really looked like someone else. And handed me a bunch of letters.” Let’s drop them on the floor. We don’t talk to ourselves.