Advanced Filtering Rule Examples and Quick Reference

We do not recommend using advanced filtering rules without knowledge of regular expressions (regex) as using these incorrectly can cause undesirable effects on mail flow and false positives. However, the following page details several example regular expressions and their intended uses, which you may find useful when building Advanced Blacklist Filtering Rules.

We cannot take any responsibility for an incorrectly applied regular expression rules, so please ensure you have thoroughly tested these outside Mail Assure before implementing them into the Mail Assure environment. There are a number of online regex checker tools that can be used for this.

These example regular expression rules have not been created with the intention of being used 'as-is', instead use the operators together to create an expression specific to your needs.

Example Regex's

Location

Name Generic Example
Domain (?i)(\@domain\.com) (?i)(\@consultant\.com)
(?i)(domain\.com) (?i)(consultant\.com)
Domain and IP (?i)(domain\.com)|(10\.10\.10\.10) (?i)(stars\.bz)|(49\.798\.33\.58)
IP 10.10.10.10 162.241.210.220
(?s){10.10.10.10} (?s){89.38.148.54}
IP Wildcard (?i)^10\.10\.10.* (?i)^185\.247\.119.*
IP at the end (?i)^(10\.10\.10\.10)$ (?i)^(200\.118\.219\.181)$
Country country1 China
Country by ISO Code (?i)^(ISO Alpha2 code)$ (?i)^(ru)$
Multiple Countries country\ one|Country2|Country3 Russian\ Federation|Brazil|Ukraine

Words or Phrases

Name Generic Example
Keyword (?i)(word) (?i)(bitcoins)
Multiple words in a string (?i)(word1\ word2\ word3) (?i)(pending\ message\ waiting)
(?i)word1 word2 word3 word4 word5 word6 (?i)Account will be disabled within 48hours
Fake order confirmation (? i) (Posted on Sunday) | (Order confirmed) | (Due to a problem sign activity) | (Summary) (? i) (Posted on Sunday) | (Order confirmed) | (Due to a problem sign activity) | (Summary)
Cold email (?msi)\/api\/mailings\.unsubscribe\/PMR|if you\'d like me to stop sending you emails\, please\<a href|trackmyemails\.org\/remove\/|track\.smtptogo\.com\/us (?msi)\/api\/mailings\.unsubscribe\/PMR|if you\'d like me to stop sending you emails\, please\<a href|trackmyemails\.org\/remove\/|track\.smtptogo\.com\/us
Cold email (Gmass.co) (?msi)ec2-52-26-194-35.us-west-2.compute.amazonaws.com (?msi)ec2-52-26-194-35.us-west-2.compute.amazonaws.com
Cold email (Generic) (?msi)(Prefer fewer emails from me\? Click here|If you don\'t want further emails\, please Unsubscribe|If you\'d like me to stop sending you emails\, please click here\<https) (?msi)(Prefer fewer emails from me\? Click here|If you don\'t want further emails\, please Unsubscribe|If you\'d like me to stop sending you emails\, please click here\<https)
Unsubscribe (?msi)List\-Unsubscribe\: \<http?\:\/\/\S+\/unsubscribe\.php\?M=\d+\&C\=\w+\&L\=\d+\&N\=\d+\> (?msi)List\-Unsubscribe\: \<http?\:\/\/\S+\/unsubscribe\.php\?M=\d+\&C\=\w+\&L\=\d+\&N\=\d+\>
Transfer fee - new sales agreement (?i)^(Transfer\ fee\-\ NEW\ SALES\ AGREEMENT)$ (?i)^(Transfer\ fee\-\ NEW\ SALES\ AGREEMENT)$

Person or Email

Name Generic Example
Email address (?i)^(local\@domain\.com)$ (?i)^(john\@blah\.com)$
(?i)"?firsname\s+secondname"?\s+(?!<local@domain.com>) (?i)"?John\s+Smith"?\s+(?!<john@blah.com>)
Mismatched email address (?i)"?firstname\s+secondname"?\s+(?!<local1@domain1.com>)(?!<local2@domain2.co.uk>) (?i)"?John\s+Smith"?\s+(?!<john@blah.com>)(?!<johnsmith@nothing.co.uk>)
Person (?i)(prefix\.\firstname\ secondname\) (?i)(Mr\.\ John\ Smith\)
(?i)(firstname\ secondname) (?i)(John\ Smith)
Person with display name ^From:[^\r\n]*(Firstname Surname|Surname, Firstname)[^\r\n]*\b[^\r\n]*@(?!domain1\.com|domain2\.com|domain3\.com\.au\b[^\r\n]*\s) ^From:[^\r\n]*(John Smith|Smith, John)[^\r\n]*\b[^\r\n]*@(?!blah\.com|nothing\.com\.au|blah\.com\.au\b[^\r\n]*\s)
Blank Reply Receive To Subject\:\ .*\nReply-To\:\ \nReceived\:\ \nTo: Subject\:\ .*\nReply-To\:\ \nReceived\:\ \nTo:
GTLD (Generic top-level-domains) senders (?msi)(?mis)(\.cf$|\.tk$|\.date$|\.world$|\.live$|\.icu$|\.gdn$|\.ooo$|\.pro$|\.vip$ (?msi)(?mis)(\.cf$|\.tk$|\.date$|\.world$|\.live$|\.icu$|\.gdn$|\.ooo$|\.pro$|\.vip$)
Phone number (?i) 123-456789-012 (?i) 769-244260-883

Microsoft Spoofs

Name Generic Example
Microsoft spoof (?i)(Microsoft(\s+\w+)*) <(?!\w+@microsoft.com) (?i)(Microsoft(\s+\w+)*) <(?!\w+@microsoft.com)
Office 365 spoof (?i)(Office 365(\s+\w+)*) <(?!\w+@microsoft.com) (?i)(Office 365(\s+\w+)*) <(?!\w+@microsoft.com)
Office 365 spoof - password (?si)Office[\s-]365.*Your Account Password (?si)Office[\s-]365.*Your Account Password
SharePoint download links https:\/\/\S+\.sharepoint.com\/\:w\:\/g\/personal\/\S+\?e\=\w+\&download\=\d+ https:\/\/\S+\.sharepoint.com\/\:w\:\/g\/personal\/\S+\?e\=\w+\&download\=\d+
OneDrive links https:\/\/onedrive\.live\.com\/\?authkey\= https:\/\/onedrive\.live\.com\/\?authkey\=

Message ID's

Name Generic Example
Message ID and Single name From (?s)Message-ID:\ \<[A-Z0-9]{8}\.[A-Z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \< (?s)Message-ID:\ \<[A-Z0-9]{8}\.[A-Z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \<
(?s)Message-ID:\ \<[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \< (?s)Message-ID:\ \<[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@.*From:\ \"[a-zA-Z]*\"\ \<
(?s)Message-ID:\ \<[0-9]{10}\.[0-9]{5}\.[0-9]{1,2}\.[0-9]{1,2}\-info@.*From:\ [a-zA-Z]*\ \< (?s)Message-ID:\ \<[0-9]{10}\.[0-9]{5}\.[0-9]{1,2}\.[0-9]{1,2}\-info@.*From:\ [a-zA-Z]*\ \<
Message ID + Blank Reply-to and To (?s)Message-ID:\ \<[A-Za-z0-9]{12}\-[A-Za-z0-9]{15}@.*\nReply-To:\ \nTo: (?s)Message-ID:\ \<[A-Za-z0-9]{12}\-[A-Za-z0-9]{15}@.*\nReply-To:\ \nTo:

Miscellaneous

Name Generic Example
Crypto Currency \s+[13][a-km-zA-HJ-NP-Z1-9]{25,34}(\n| ) \s+[13][a-km-zA-HJ-NP-Z1-9]{25,34}(\n| )
Fake voice message (?i)(Audio\_File\_From\ ) (?i)(Audio\_File\_From\ )
File type (?i)^(.extension)$ (?i)^(.cab)$
Language code \p{ISO Language code} \p{Han}
URL Block (?i)(https\:\/\/websiteurl\.org) (?i)(https\:\/\/handm\.com)
URL suffix (?i).*\.com\.tr$ (?i).*\.co\.za$