Advanced Filtering Rule Examples and Quick Reference

We do not recommend using advanced filtering rules without knowledge of regular expressions (regex). Using these incorrectly can cause undesirable effects on mail flow and false positives. However, the following page details several example regular expressions and their intended uses, which you may find useful when building Advanced Block list Filtering Rules.

We cannot take any responsibility for any incorrectly applied regular expression rules, so please ensure you have thoroughly tested these outside SpamExperts before implementing them into the SpamExperts environment. There are a number of online regex checker tools that can be used for this.

These example regular expression rules have not been created with the intention of being used 'as-is', instead use the operators together to create an expression specific to your needs.

Example Regex's

Location

Name Generic Example
Domain (?i)(\@domain\.ext) (?i)(\@demo-domain\.com)
(?i)(domain\.ext) (?i)(demo-domain\.com)
Domain and IP (?i)(domain\.ext)|(10\.10\.10\.10) (?i)(demo-domain\.com)|(192\.51\.100\.35)
IP 10.10.10.10 198.51.100.23
(?s){10.10.10.10} (?s){198.51.100.17}
IP Wildcard (?i)^10\.10\.10.* (?i)^198\.51\.100.*
IP at the end (?i)^(10\.10\.10\.10)$ (?i)^(198\.51\.100\.5)$
Country country1 China
Country by ISO Code (?i)^(ISO Alpha2 code)$ (?i)^(ru)$
Multiple Countries country\ one|Country2|Country3 Russian\ Federation|Brazil|Ukraine

Words or Phrases

Name Generic Example
Keyword (?i)(word) (?i)(bitcoins)
Multiple words in a string (?i)(word1\ word2\ word3) (?i)(pending\ message\ waiting)
(?i)word1 word2 word3 word4 word5 word6 (?i)Account will be disabled within 48hours
Fake order confirmation (? i) (Posted on Sunday) | (Order confirmed) | (Due to a problem sign activity) | (Summary) (? i) (Posted on Sunday) | (Order confirmed) | (Due to a problem sign activity) | (Summary)
Cold email (Generic) (?msi)(Prefer fewer emails from me\? Click here|If you don\'t want further emails\, please Unsubscribe|If you\'d like me to stop sending you emails\, please click here\<https) (?msi)(Prefer fewer emails from me\? Click here|If you don\'t want further emails\, please Unsubscribe|If you\'d like me to stop sending you emails\, please click here\<https)
Transfer fee - new sales agreement (?i)^(Transfer\ fee\-\ NEW\ SALES\ AGREEMENT)$ (?i)^(Transfer\ fee\-\ NEW\ SALES\ AGREEMENT)$

Person or Email

Name Generic Example
Email address (?i)^(local\@domain\.ext)$ (?i)^(john\@demo-domain\.com)$
(?i)"?firsname\s+secondname"?\s+(?!<local@domain.ext>) (?i)"?John\s+Smith"?\s+(?!<john@demo-domain.invalid>)
Mismatched email address (?i)"?firstname\s+secondname"?\s+(?!<local1@domain1.ext>)(?!<local2@domain2.ext>) (?i)"?John\s+Smith"?\s+(?!<john@demo-domain.invalid>)(?!<johnsmith@different-domain.invalid>)
Person (?i)(prefix\.\firstname\ secondname\) (?i)(Mr\.\ John\ Smith\)
(?i)(firstname\ secondname) (?i)(John\ Smith)
Person with display name ^From:[^\r\n]*(Firstname Surname|Surname, Firstname)[^\r\n]*\b[^\r\n]*@(?!domain1\.ext|domain2\.ext|domain3\.ext\.au\b[^\r\n]*\s) ^From:[^\r\n]*(John Smith|Smith, John)[^\r\n]*\b[^\r\n]*@(?!demo-domain\.com|domain-alias\.com\.au|different-domain\.com\.au\b[^\r\n]*\s)
Blank Reply Receive To Subject\:\ .*\nReply-To\:\ \nReceived\:\ \nTo: Subject\:\ .*\nReply-To\:\ \nReceived\:\ \nTo:
GTLD (Generic top-level-domains) senders (?msi)(?mis)(\.cf$|\.tk$|\.date$|\.world$|\.live$|\.icu$|\.gdn$|\.ooo$|\.pro$|\.vip$ (?msi)(?mis)(\.cf$|\.tk$|\.date$|\.world$|\.live$|\.icu$|\.gdn$|\.ooo$|\.pro$|\.vip$)
Phone number (?i) 123-456789-012 (?i) 769-244260-883
For example, a user called Piff Jenkins, with the email addresses they use p.jenkins@demo-domain.invalid, and piff.jenkins@demo-domain.invalid, and piffjenkins@example-domain.invalid, as well as piff.jenkins@different-domain.invalid, you would need to add a regex rule as below, assuming that the display name for all accounts used was "Piff Jenkins":

(?i)"?piff\s+jenkins"?\s+(?!<p.jenkins@demo-domain.invalid>)(?!<piff.jenkins@demo-domain.invalid>)(?!<piffjenkins@example-domain.invalid>)(?!<piff.jenkins@different-domain.invalid>)

Microsoft Spoofs

Name Generic Example
Microsoft spoof (?i)(Microsoft(\s+\w+)*) <(?!\w+@microsoft.com) (?i)(Microsoft(\s+\w+)*) <(?!\w+@microsoft.com)
Microsoft 365 spoof (?i)(Microsoft 365(\s+\w+)*) <(?!\w+@microsoft.com) (?i)(Microsoft 365(\s+\w+)*) <(?!\w+@microsoft.com)
Microsoft 365 spoof - password (?si)Microsoft[\s-]365.*Your Account Password (?si)Microsoft[\s-]365.*Your Account Password
SharePoint download links https:\/\/\S+\.sharepoint.com\/\:w\:\/g\/personal\/\S+\?e\=\w+\&download\=\d+ https:\/\/\S+\.sharepoint.com\/\:w\:\/g\/personal\/\S+\?e\=\w+\&download\=\d+
OneDrive links https:\/\/onedrive\.live\.com\/\?authkey\= https:\/\/onedrive\.live\.com\/\?authkey\=

Message ID's

Name Generic Example
Message ID and Single name From (?s)Message-ID:\ \<[A-Z0-9]{8}\.[A-Z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \< (?s)Message-ID:\ \<[A-Z0-9]{8}\.[A-Z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \<
(?s)Message-ID:\ \<[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \< (?s)Message-ID:\ \<[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \<
(?s)Message-ID:\ \<[0-9]{10}\.[0-9]{5}\.[0-9]{1,2}\.[0-9]{1,2}\-info@.*From:\ [a-zA-Z]*\ \< (?s)Message-ID:\ \<[0-9]{10}\.[0-9]{5}\.[0-9]{1,2}\.[0-9]{1,2}\-info@.*From:\ [a-zA-Z]*\ \<
Message ID + Blank Reply-to and To (?s)Message-ID:\ \<[A-Za-z0-9]{12}\-[A-Za-z0-9]{15}@.*\nReply-To:\ \nTo: (?s)Message-ID:\ \<[A-Za-z0-9]{12}\-[A-Za-z0-9]{15}@.*\nReply-To:\ \nTo:

Miscellaneous

Name Generic Example
Crypto Currency \s+[13][a-km-zA-HJ-NP-Z1-9]{25,34}(\n| ) \s+[13][a-km-zA-HJ-NP-Z1-9]{25,34}(\n| )
Fake voice message (?i)(Audio\_File\_From\ ) (?i)(Audio\_File\_From\ )
File type (?i)^(.extension)$ (?i)^(.cab)$
Language code \p{ISO Language code} \p{Han}
URL Block (?i)(https\:\/\/example\.com) (?i)(https\:\/\/website-url\.com)
URL suffix (?i).*\.com\.tr$ (?i).*\.co\.za$

Operators Quick Reference