Code: Select all
b0
<Link: http://bXn9gXp.seXridXom-doXm.site> Create a rule for specific spam
Create a rule for specific spam
Hello, I try to write a rule to filter common spam coming these days. The content is like
I did not manage to create a rule for the content that works. The common content is the .site at the end of the URL. The title is random word and senders are changing. Thanks for any clue.
Last edited by Jeff on Tue Apr 20, 2021 12:03 pm, edited 1 time in total.
Reason: obfuscated URL
Reason: obfuscated URL
Windows 10 64 bits
Re: Create a rule for specific spam
I'm not sure if you're asking for a rule to block any website that has ".site" at the end? That could potentially lead to a lot of False Positives.
But let's say you want to create a rule that contains http...-dom.site --
Use: +Processed
Use: RegEx
Set: http\S+-dom\.site
What this does is look for "http" followed by any number of non-white space characters, followed by "-dom.site". Some regex explanations:
\S -- is "non-white space" (ie. the "http" and the "-dom.site" must be grouped together and not in 2 different sections of the text -- this helps improve matching)
+ -- means at least 1 character (ie. any number [1+] of non-white space characters)
\. -- the '.' has special meaning in regex, so you need to escape it with a slash
For the record, I am not a regex expert; there may be better ways to do this and this rule may itself have false positives. I always recommend that you test new rules by doing something non-destructive like applying a user flag and then once you're sure it's only catching the messages that you expect, then you can change the Actions to do what you want (mark as junk, delete, etc.).
[edit] note: you can (and probably should) modify the regex so that it contains the full domain (but no need to include 'bn9gp.'). I didn't include it for the same reason as noted below.
Note: I've inserted 'X's into the URL as I don't want a link from this website to what could potentially be a spam-friendly website.
But let's say you want to create a rule that contains http...-dom.site --
Use: +Processed
Use: RegEx
Set: http\S+-dom\.site
- RegEx_DomSite.png (3.16 KiB) Viewed 4237 times
\S -- is "non-white space" (ie. the "http" and the "-dom.site" must be grouped together and not in 2 different sections of the text -- this helps improve matching)
+ -- means at least 1 character (ie. any number [1+] of non-white space characters)
\. -- the '.' has special meaning in regex, so you need to escape it with a slash
For the record, I am not a regex expert; there may be better ways to do this and this rule may itself have false positives. I always recommend that you test new rules by doing something non-destructive like applying a user flag and then once you're sure it's only catching the messages that you expect, then you can change the Actions to do what you want (mark as junk, delete, etc.).
[edit] note: you can (and probably should) modify the regex so that it contains the full domain (but no need to include 'bn9gp.'). I didn't include it for the same reason as noted below.
Note: I've inserted 'X's into the URL as I don't want a link from this website to what could potentially be a spam-friendly website.
Re: Create a rule for specific spam
Thanks a lot for your explanation. I will test this (and try to apply in the future your advice.
Windows 10 64 bits
Re: Create a rule for specific spam
I should also point out that there are easier ways to set this rule, e.g. instead of using "regex" you could use "wildcard" and then use:
http*-dom.site
This is easier to read/understand, but the significant difference in this vs the regex is that the regex is a little more strict; although, as long as you include the full domain, one or the other is probably fine (and if you use the full domain, using "contains" with the domain.site is probably even sufficient).
http*-dom.site
This is easier to read/understand, but the significant difference in this vs the regex is that the regex is a little more strict; although, as long as you include the full domain, one or the other is probably fine (and if you use the full domain, using "contains" with the domain.site is probably even sufficient).
Re: Create a rule for specific spam
Today another spam and it did not been caught.
(I’ve added the XXX)
Code: Select all
tuw
<Link: http://mXXX19cx.vXXXersist.site> Windows 10 64 bits
Re: Create a rule for specific spam
Ok, so the domain is different every time. If you want to modify the rule I sent to not include the "-dom" then it would catch both these; however, like I said before, it's also more likely to catch legitimate email, too.
http\S+\.site
You might even consider:
http:\S+\.site
adding the colon after http would force "http" and would not hit on https links -- most legitimate companies don't use http anymore, and both your samples used http.
http\S+\.site
You might even consider:
http:\S+\.site
adding the colon after http would force "http" and would not hit on https links -- most legitimate companies don't use http anymore, and both your samples used http.
Re: Create a rule for specific spam
Thanks. I changed the rule. Just wait for next spam to see if it works.
Windows 10 64 bits