Create a rule for specific spam

POP Peeper: Tech support, suggestions, discussion, etc.
Post Reply
lian
Posts: 115
Joined: Sat Nov 25, 2006 9:00 am

Create a rule for specific spam

Post by lian »

Hello, I try to write a rule to filter common spam coming these days. The content is like

Code: Select all

b0
 <Link: http://bXn9gXp.seXridXom-doXm.site> 
I did not manage to create a rule for the content that works. The common content is the .site at the end of the URL. The title is random word and senders are changing. Thanks for any clue.
Last edited by Jeff on Tue Apr 20, 2021 12:03 pm, edited 1 time in total.
Reason: obfuscated URL
Windows 10 64 bits
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: Create a rule for specific spam

Post by Jeff »

I'm not sure if you're asking for a rule to block any website that has ".site" at the end? That could potentially lead to a lot of False Positives.

But let's say you want to create a rule that contains http...-dom.site --
Use: +Processed
Use: RegEx
Set: http\S+-dom\.site
RegEx_DomSite.png
RegEx_DomSite.png (3.16 KiB) Viewed 2205 times
What this does is look for "http" followed by any number of non-white space characters, followed by "-dom.site". Some regex explanations:
\S -- is "non-white space" (ie. the "http" and the "-dom.site" must be grouped together and not in 2 different sections of the text -- this helps improve matching)
+ -- means at least 1 character (ie. any number [1+] of non-white space characters)
\. -- the '.' has special meaning in regex, so you need to escape it with a slash

For the record, I am not a regex expert; there may be better ways to do this and this rule may itself have false positives. I always recommend that you test new rules by doing something non-destructive like applying a user flag and then once you're sure it's only catching the messages that you expect, then you can change the Actions to do what you want (mark as junk, delete, etc.).

[edit] note: you can (and probably should) modify the regex so that it contains the full domain (but no need to include 'bn9gp.'). I didn't include it for the same reason as noted below.


Note: I've inserted 'X's into the URL as I don't want a link from this website to what could potentially be a spam-friendly website.
lian
Posts: 115
Joined: Sat Nov 25, 2006 9:00 am

Re: Create a rule for specific spam

Post by lian »

Thanks a lot for your explanation. I will test this (and try to apply in the future your advice.
Windows 10 64 bits
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: Create a rule for specific spam

Post by Jeff »

I should also point out that there are easier ways to set this rule, e.g. instead of using "regex" you could use "wildcard" and then use:
http*-dom.site

This is easier to read/understand, but the significant difference in this vs the regex is that the regex is a little more strict; although, as long as you include the full domain, one or the other is probably fine (and if you use the full domain, using "contains" with the domain.site is probably even sufficient).
lian
Posts: 115
Joined: Sat Nov 25, 2006 9:00 am

Re: Create a rule for specific spam

Post by lian »

Today another spam and it did not been caught.

Code: Select all

tuw
 <Link: http://mXXX19cx.vXXXersist.site> 
(I’ve added the XXX)
Windows 10 64 bits
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: Create a rule for specific spam

Post by Jeff »

Ok, so the domain is different every time. If you want to modify the rule I sent to not include the "-dom" then it would catch both these; however, like I said before, it's also more likely to catch legitimate email, too.

http\S+\.site

You might even consider:
http:\S+\.site

adding the colon after http would force "http" and would not hit on https links -- most legitimate companies don't use http anymore, and both your samples used http.
lian
Posts: 115
Joined: Sat Nov 25, 2006 9:00 am

Re: Create a rule for specific spam

Post by lian »

Thanks. I changed the rule. Just wait for next spam to see if it works.
Windows 10 64 bits
Post Reply