advanced regexing - ORF Forums

@Bryon: building a complex regex against this type of spam is unnecessary: the URL in the body is listed in at least one of the recommended URL blacklists (uribl.com, I did not check the others), so ORF is able to block this automatically.

Please make sure you have the URL Blacklist test enabled (Administration Tool: Configuration / Tests / Tests) and that you have the recommended URL Blacklists enabled (Configuration / Filtering - On Arrival / URL Blacklists, you should have Spamhaus DBL, SURBL: Combined, and uribl.com enabled), see our best practices guide at http://www.vamsoft.com/downloads/getmostguide.pdf. Finally, save your settings by pressing Ctrl + S to apply the changes.

If you already have this three online blacklist enabled but the email was allowed through none the less, I recommend checking the log to see whether the email was accidentally whitelisted.

A regex blocking emails with URLs in their third line would definitely cause false positives, so we do not recommend adding such manual rule.

@Bryon: Yes, basically whitelists always take precedence over blacklist, though some specific blacklist test can be excepted from the scope of whitelists under Configuration / Tests / Tests, Whitelist exceptions (e.g., it does not make sense to allow the email in if there are no valid recipients, even if the sender is whitelisted).