help with a simple regex? RSS Back to forum
think i got it:
^re:.*(com|net).*(invoice|receipt|deal|bill)$
any better way?
Hi Byron,
Your regex may work as a quick fix but expect that pattern to change frequently. They also know legit senders will use the same keywords in the email subject so watch out for false positives.
For us, this type of fake invoice email is usually malware inside of MS Office documents and we catch it using ClamAV w the "OLE2BlockMacros yes" option. This is admittedly heavy-handed (how can you reliably tell a good macro from a bad macro?) so we redirect to a quarantine mailbox for review. You may have other AV tools available.
If these messages do have attachments you can carefully look them up on virustotal.com to see if they are malware. Use the SHA256 hash lookup if you don't want to upload any sensitive attachments.
Sam
hello, looking to block a pattern of subject words... currently getting slammed with word documents claiming to be invoices. snowshoe, too many ip's to block, every domain is random
i think the best way is to block by the subject
example subject:
re: randomdomain.tld invoice
the randomdomain is always different,
the tld is always either [.com|.net]
the last word is always either [invoice|bill|receipt|deal]
and that's the last word
so i'm looking for something like:
^re:.*\.[com|net].*[invoice|bill|receipt|deal]$
but i'm missing something in the regex language there