help with a simple regex? RSS


hello, looking to block a pattern of subject words... currently getting slammed with word documents claiming to be invoices. snowshoe, too many ip's to block, every domain is random

i think the best way is to block by the subject

example subject:
re: randomdomain.tld invoice

the randomdomain is always different,
the tld is always either [.com|.net]
the last word is always either [invoice|bill|receipt|deal]
and that's the last word

so i'm looking for something like:

but i'm missing something in the regex language there

by Bryon 2 years ago

think i got it:


any better way?

by Bryon 2 years ago

Hi Byron,

Your regex may work as a quick fix but expect that pattern to change frequently. They also know legit senders will use the same keywords in the email subject so watch out for false positives.

For us, this type of fake invoice email is usually malware inside of MS Office documents and we catch it using ClamAV w the "OLE2BlockMacros yes" option. This is admittedly heavy-handed (how can you reliably tell a good macro from a bad macro?) so we redirect to a quarantine mailbox for review. You may have other AV tools available.

If these messages do have attachments you can carefully look them up on to see if they are malware. Use the SHA256 hash lookup if you don't want to upload any sensitive attachments.


by Sam Russo 2 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed