Advanced Filtering Rule Examples and Quick Reference
We do not recommend using advanced filtering rules without knowledge of regular expressions (regex). Using these incorrectly can cause undesirable effects on mail flow and false positives. However, the following page details several example regular expressions and their intended uses, which you may find useful when building Advanced Block list Filtering Rules.
We cannot take any responsibility for any incorrectly applied regular expression rules, so please ensure you have thoroughly tested these outside Spam Experts before implementing them into the Spam Experts environment. There are a number of online regex checker tools that can be used for this.
These example regular expression rules have not been created with the intention of being used 'as-is', instead use the operators together to create an expression specific to your needs.
Example Regex's
Location
| Domain |
(?i)(\@domain\.ext)
|
(?i)(\@demo-domain\.com)
|
| (?i)(domain\.ext) |
(?i)(demo-domain\.com) |
| Domain and IP |
(?i)(domain\.ext)|(10\.10\.10\.10)
|
(?i)(demo-domain\.com)|(192\.51\.100\.35)
|
| IP |
10.10.10.10 |
198.51.100.23
|
| (?s){10.10.10.10}
|
(?s){198.51.100.17}
|
| IP Wildcard |
(?i)^10\.10\.10.*
|
(?i)^198\.51\.100.*
|
| IP at the end |
(?i)^(10\.10\.10\.10)$
|
(?i)^(198\.51\.100\.5)$
|
| Country |
country1
|
China
|
| Country by ISO Code |
(?i)^(ISO Alpha2 code)$
|
(?i)^(ru)$
|
| Multiple Countries |
country\ one|Country2|Country3
|
Russian\ Federation|Brazil|Ukraine
|
Words or Phrases
| Keyword |
(?i)(word) |
(?i)(bitcoins) |
| Multiple words in a string |
(?i)(word1\ word2\ word3) |
(?i)(pending\ message\ waiting) |
| (?i)word1 word2 word3 word4 word5 word6 |
(?i)Account will be disabled within 48hours |
|
Fake order confirmation |
(? i) (Posted on Sunday) | (Order confirmed) | (Due to a problem sign activity) | (Summary) |
(? i) (Posted on Sunday) | (Order confirmed) | (Due to a problem sign activity) | (Summary) |
|
Cold email (Generic)
|
(?msi)(Prefer fewer emails from me\? Click here|If you don\'t want further emails\, please Unsubscribe|If you\'d like me to stop sending you emails\, please click here\<https) |
(?msi)(Prefer fewer emails from me\? Click here|If you don\'t want further emails\, please Unsubscribe|If you\'d like me to stop sending you emails\, please click here\<https) |
| Transfer fee - new sales agreement |
(?i)^(Transfer\ fee\-\ NEW\ SALES\ AGREEMENT)$ |
(?i)^(Transfer\ fee\-\ NEW\ SALES\ AGREEMENT)$ |
Person or Email
| Email address
|
(?i)^(local\@domain\.ext)$ |
(?i)^(john\@demo-domain\.com)$ |
| (?i)"?firsname\s+secondname"?\s+(?!<local@domain.ext>) |
(?i)"?John\s+Smith"?\s+(?!<john@demo-domain.invalid>) |
|
Mismatched email address |
(?i)"?firstname\s+secondname"?\s+(?!<local1@domain1.ext>)(?!<local2@domain2.ext>) |
(?i)"?John\s+Smith"?\s+(?!<john@demo-domain.invalid>)(?!<johnsmith@different-domain.invalid>) |
|
Person |
(?i)(prefix\.\firstname\ secondname\) |
(?i)(Mr\.\ John\ Smith\) |
| (?i)(firstname\ secondname) |
(?i)(John\ Smith) |
|
Person with display name |
^From:[^\r\n]*(Firstname Surname|Surname, Firstname)[^\r\n]*\b[^\r\n]*@(?!domain1\.ext|domain2\.ext|domain3\.ext\.au\b[^\r\n]*\s) |
^From:[^\r\n]*(John Smith|Smith, John)[^\r\n]*\b[^\r\n]*@(?!demo-domain\.com|domain-alias\.com\.au|different-domain\.com\.au\b[^\r\n]*\s) |
| Blank Reply Receive To |
Subject\:\ .*\nReply-To\:\ \nReceived\:\ \nTo: |
Subject\:\ .*\nReply-To\:\ \nReceived\:\ \nTo: |
|
GTLD (Generic top-level-domains) senders |
(?msi)(?mis)(\.cf$|\.tk$|\.date$|\.world$|\.live$|\.icu$|\.gdn$|\.ooo$|\.pro$|\.vip$
|
(?msi)(?mis)(\.cf$|\.tk$|\.date$|\.world$|\.live$|\.icu$|\.gdn$|\.ooo$|\.pro$|\.vip$) |
|
Phone number |
(?i) 123-456789-012 |
(?i) 769-244260-883 |
For example, a user called Piff Jenkins, with the email addresses they use p.jenkins@demo-domain.invalid, and piff.jenkins@demo-domain.invalid, and piffjenkins@example-domain.invalid, as well as piff.jenkins@different-domain.invalid, you would need to add a regex rule as below, assuming that the display name for all accounts used was "Piff Jenkins":
(?i)"?piff\s+jenkins"?\s+(?!<p.jenkins@demo-domain.invalid>)(?!<piff.jenkins@demo-domain.invalid>)(?!<piffjenkins@example-domain.invalid>)(?!<piff.jenkins@different-domain.invalid>)
Microsoft Spoofs
| Microsoft spoof |
(?i)(Microsoft(\s+\w+)*) <(?!\w+@microsoft.com) |
(?i)(Microsoft(\s+\w+)*) <(?!\w+@microsoft.com) |
| Microsoft 365 spoof |
(?i)(Microsoft 365(\s+\w+)*) <(?!\w+@microsoft.com) |
(?i)(Microsoft 365(\s+\w+)*) <(?!\w+@microsoft.com) |
| Microsoft 365 spoof - password |
(?si)Microsoft[\s-]365.*Your Account Password |
(?si)Microsoft[\s-]365.*Your Account Password |
|
SharePoint download links
|
https:\/\/\S+\.sharepoint.com\/\:w\:\/g\/personal\/\S+\?e\=\w+\&download\=\d+ |
https:\/\/\S+\.sharepoint.com\/\:w\:\/g\/personal\/\S+\?e\=\w+\&download\=\d+ |
|
OneDrive links |
https:\/\/onedrive\.live\.com\/\?authkey\= |
https:\/\/onedrive\.live\.com\/\?authkey\= |
Message ID's
| Message ID and Single name From
|
(?s)Message-ID:\ \<[A-Z0-9]{8}\.[A-Z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \< |
(?s)Message-ID:\ \<[A-Z0-9]{8}\.[A-Z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \< |
| (?s)Message-ID:\ \<[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \< |
(?s)Message-ID:\ \<[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \< |
| (?s)Message-ID:\ \<[0-9]{10}\.[0-9]{5}\.[0-9]{1,2}\.[0-9]{1,2}\-info@.*From:\ [a-zA-Z]*\ \< |
(?s)Message-ID:\ \<[0-9]{10}\.[0-9]{5}\.[0-9]{1,2}\.[0-9]{1,2}\-info@.*From:\ [a-zA-Z]*\ \< |
|
Message ID + Blank Reply-to and To
|
(?s)Message-ID:\ \<[A-Za-z0-9]{12}\-[A-Za-z0-9]{15}@.*\nReply-To:\ \nTo: |
(?s)Message-ID:\ \<[A-Za-z0-9]{12}\-[A-Za-z0-9]{15}@.*\nReply-To:\ \nTo: |
Miscellaneous
| Crypto Currency |
\s+[13][a-km-zA-HJ-NP-Z1-9]{25,34}(\n| ) |
\s+[13][a-km-zA-HJ-NP-Z1-9]{25,34}(\n| ) |
|
Fake voice message |
(?i)(Audio\_File\_From\ ) |
(?i)(Audio\_File\_From\ ) |
|
File type |
(?i)^(.extension)$ |
(?i)^(.cab)$ |
|
Language code |
\p{ISO Language code} |
\p{Han} |
| URL Block
|
(?i)(https\:\/\/example\.com) |
(?i)(https\:\/\/website-url\.com) |
| URL suffix |
(?i).*\.com\.tr$ |
(?i).*\.co\.za$ |
Operators Quick Reference
Operator cheat-sheet
| Newline |
\n |
|
Non-word boundary |
\B |
| Carriage return |
\r |
|
Global |
g |
| Tab |
\t |
|
Multiline |
m |
| Null character |
\0 |
|
Case insensitive |
i |
| A single character of: a, b or c |
[abc] |
|
Ignore whitespace |
x |
| A character except: a, b or c |
[^abc] |
|
Single line |
s |
| A character in the range: a-z |
[a-z] |
|
Enable unicode support |
u |
| A character not in the range: a-z |
[^a-z] |
|
Restrict matches to ASCII only |
a |
| A character in the range: a-z or A-Z |
[a-zA-Z] |
|
Complete match contents |
\g<0> |
| Any single character |
. |
|
Complete match contents |
\0 |
| Any whitespace character |
\s |
|
Contents in capture group 1 |
\1 |
| Any non-whitespace character |
\S |
|
Contents in capture group 1 |
$1 |
| Any digit |
\d |
|
Contents in capture group `foo` |
${foo} |
| Any non-digit |
\D |
|
Hexadecimal replacement values |
\x20 |
| Any word character |
\w |
|
Hexadecimal replacement values |
\x{06fa} |
| Any non-word character |
\W |
|
Tab |
\t |
| Vertical whitespace character |
\v |
|
Carriage return |
\r |
| Match nth subpattern |
\n |
|
Newline |
\n |
| Hex character YY |
\xYY |
|
Form-feed |
\f |
| Octal character ddd |
\ddd |
|
Uppercase Transformation |
\U |
| Backspace character |
[\b] |
|
Lowercase Transformation |
\L |
| Makes any character literal |
\ |
|
Terminate any Transformation |
\E |
| Capture everything enclosed |
(...) |
|
A single character of: a, b or c |
[abc] |
| Match either a or b |
(a|b) |
|
A character except: a, b or c |
[^abc] |
| Match everything enclosed |
(?:...) |
|
A character in the range: a-z |
[a-z] |
| Comment |
(?#...) |
|
A character not in the range: a-z |
[^a-z] |
| Named Capturing Group |
(?P<name>...) |
|
A character in the range: a-z or A-Z |
[a-zA-Z] |
| Inline modifiers |
(?imsxXU) |
|
Any single character |
. |
| Conditional statement |
(?(1)yes|no) |
|
Any whitespace character |
\s |
| Match subpattern `name` |
(?P=name) |
|
Any non-whitespace character |
\S |
| Positive Lookahead |
(?=...) |
|
Any digit |
\d |
| Negative Lookahead |
(?!...) |
|
Any non-digit |
\D |
| Positive Lookbehind |
(?<=...) |
|
Any word character |
\w |
| Negative Lookbehind |
(?<!...) |
|
Any non-word character |
\W |
| Zero or one of a |
a? |
|
Capture everything enclosed |
(...) |
| Zero or more of a |
a* |
|
Match either a or b |
(a|b) |
| One or more of a |
a+ |
|
Zero or one of a |
a? |
| Exactly 3 of a |
a{3} |
|
Zero or more of a |
a* |
| 3 or more of a |
a{3,} |
|
One or more of a |
a+ |
| Between 3 and 6 of a |
a{3,6} |
|
Exactly 3 of a |
a{3} |
| Greedy quantifier |
a* |
|
3 or more of a |
a{3,} |
| Lazy quantifier |
a*? |
|
Between 3 and 6 of a |
a{3,6} |
| Start of string |
^ |
|
Start of string |
^ |
| End of string |
$ |
|
End of string |
$ |
| Start of string |
\A |
|
A word boundary |
\b |
| End of string |
\Z |
|
Non-word boundary |
\B |
| A word boundary |
\b |
|
|
|
