Esumsoft Forums

Hello, I try to write a rule to filter common spam coming these days. The content is like
I did not manage to create a rule for the content that works. The common content is the .site at the end of the URL. The title is random word and senders are changing. Thanks for any clue.

I'm not sure if you're asking for a rule to block any website that has ".site" at the end? That could potentially lead to a lot of False Positives.

But let's say you want to create a rule that contains http...-dom.site --
Use: +Processed
Use: RegEx
Set: http\S+-dom\.site What this does is look for "http" followed by any number of non-white space characters, followed by "-dom.site". Some regex explanations:
\S -- is "non-white space" (ie. the "http" and the "-dom.site" must be grouped together and not in 2 different sections of the text -- this helps improve matching)
+ -- means at least 1 character (ie. any number [1+] of non-white space characters)
\. -- the '.' has special meaning in regex, so you need to escape it with a slash

For the record, I am not a regex expert; there may be better ways to do this and this rule may itself have false positives. I always recommend that you test new rules by doing something non-destructive like applying a user flag and then once you're sure it's only catching the messages that you expect, then you can change the Actions to do what you want (mark as junk, delete, etc.).

[edit] note: you can (and probably should) modify the regex so that it contains the full domain (but no need to include 'bn9gp.'). I didn't include it for the same reason as noted below.


Note: I've inserted 'X's into the URL as I don't want a link from this website to what could potentially be a spam-friendly website.

Thanks a lot for your explanation. I will test this (and try to apply in the future your advice.

I should also point out that there are easier ways to set this rule, e.g. instead of using "regex" you could use "wildcard" and then use:
http*-dom.site

This is easier to read/understand, but the significant difference in this vs the regex is that the regex is a little more strict; although, as long as you include the full domain, one or the other is probably fine (and if you use the full domain, using "contains" with the domain.site is probably even sufficient).

Today another spam and it did not been caught.
(I’ve added the XXX)

Ok, so the domain is different every time. If you want to modify the rule I sent to not include the "-dom" then it would catch both these; however, like I said before, it's also more likely to catch legitimate email, too.

http\S+\.site

You might even consider:
http:\S+\.site

adding the colon after http would force "http" and would not hit on https links -- most legitimate companies don't use http anymore, and both your samples used http.

Thanks. I changed the rule. Just wait for next spam to see if it works.