Flooded with Telekom Invoices / Regular Expression Help needed RSS


Hello Forum,
i have a problem with regular expressions and did not find a solution:

Subject of Fake (Fishing) Mail:
Ihre Telekom Festnetz-Rechnung

Subject of real Mail:
Ihre Telekom Festnetz-Rechnung Juni 2015 (Adresse: ; Buchungskonto: )

SO - how to create a regular expression that matches ONLY the fake mail - but NOT the real mail (NO match if subject contains "Ihre Telekom Festnetz......" AND "Adresse" and "Buchungskonto")

Thanks for your help
Kind regards

by uwe.kortkamp 3 years ago

@uwe.kortkamp: Hello Uwe,

Using a regex for the subject like this looks fragile - the spammers may adopt the same pattern as the legitimate sender. You should also look thru the headers to see if there is something else that may better identify the spammer.

In any case, if you just need a quick-fix to get past this burst of false invoices, the regex below could work. It only checks for the phrase "Ihre..Rechnung" followed something later by four digits (the year) and something enclosed by parenthesis (..) I did not want to look for the month names and it was not clear if Addresse or Buchungskonto would be substituted for the real information so I ignore those.

Please test this to see if it works for your environment before going live.

Enter this as a Keyword Regex on the Email Subject:
(?!Ihre Telekom Festnetz\-Rechnung.+?\d{4,4}\s\(.+?\))(?=Ihre Telekom Festnetz\-Rechnung)

Gluck auf,

by Sam Russo 3 years ago
(in reply to this post)


Hello Sam,
thanks for your fast answer.
I must admit that i didnt realize that - but it works :-)

You are right - the month names should be ignored. This Reg lokks for both "(" and ")" after the YEAR.

Is it possible to change this RegExp that both words "Addresse AND Buchungskonto" must occur in between "(" and ")"

Ihre Telekom Festnetz-Rechnung Juni 2015 (Bla Blub) SHOULD MATCH

Ihre Telekom Festnetz-Rechnung Juni 2015 (Adresse [different adr here] Buchungskonto [diffenrenz digits here]) SHOULD NOT MATCH

At moment your solutions works because most spammers only use a subject without "(" and ")"

Thanks again and have a nice weekend.

by uwe.kortkamp 3 years ago

@uwe.kortkamp: This may work for you (test before you trust):
(?!Ihre Telekom Festnetz\-Rechnung.+?\d{4,4}\s\(Adresse.+?Buchungskonto.+?\))(?=Ihre Telekom Festnetz\-Rechnung)

Regular expressions are very useful to create rules in ORF. You can Google Regex to learn more. When you create an ORF rule, it is helpful to paste some samples to test things until you are convinced it works as expected. There are also sites like refiddle.com that make it easy to test ideas.

Good luck,

by Sam Russo 3 years ago
(in reply to this post)


Hi Sam,
works as expected


Kind regards

by uwe.kortkamp 3 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed