help with a simple regex? - ORF Forums

help with a simple regex? RSS Back to forum

1

hello, looking to block a pattern of subject words... currently getting slammed with word documents claiming to be invoices. snowshoe, too many ip's to block, every domain is random

i think the best way is to block by the subject

example subject:
re: randomdomain.tld invoice

the randomdomain is always different,
the tld is always either [.com|.net]
the last word is always either [invoice|bill|receipt|deal]
and that's the last word

so i'm looking for something like:
^re:.*\.[com|net].*[invoice|bill|receipt|deal]$

but i'm missing something in the regex language there

by Bryon 3 years ago
2

think i got it:

^re:.*(com|net).*(invoice|receipt|deal|bill)$

any better way?

by Bryon 3 years ago
3

Hi Byron,

Your regex may work as a quick fix but expect that pattern to change frequently. They also know legit senders will use the same keywords in the email subject so watch out for false positives.

For us, this type of fake invoice email is usually malware inside of MS Office documents and we catch it using ClamAV w the "OLE2BlockMacros yes" option. This is admittedly heavy-handed (how can you reliably tell a good macro from a bad macro?) so we redirect to a quarantine mailbox for review. You may have other AV tools available.

If these messages do have attachments you can carefully look them up on virustotal.com to see if they are malware. Use the SHA256 hash lookup if you don't want to upload any sensitive attachments.

Sam

by Sam Russo 3 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2