Overview

This article aims to present some possible rules that may be used to filter out emails based on specific content.

Information

Most of these sample rules heavily rely on Regular Expressions (regex). GFI MailEssentials uses XRegExp 2.0 which are JavaScript-based regular expressions. If you're unfamiliar with regular expressions, and you'd like to explore the concept, you can try this excellent tutorial.

Sample rules

These are usually created by navigating to Content Filtering > Advanced Content Filtering > Add a New Rule, naming the rule, choosing Body and Matches Regex, in the Condition area, unless specified otherwise.

Since these rules are based on regular expressions, this functionality is not limited to this list only. The following are just examples that are intended to be used as a starting point for more complex rules.

Filter out links that don't use HTTPS

In order to filter out emails containing HTTP links, the following pattern may be used:

.*?(http\:\/\/[a-zA-Z0-9\.\/\-]+)

This pattern will detect all lines that contain URLs starting with HTTP, regardless of the position in the source text.

If you want to detect the URL only, use the following pattern:

(http\:\/\/[a-zA-Z0-9\.\/\-]+)

By omitting the .*? characters, the pattern now only looks for the portion of the text that identifies as an URL.

Filter out specific URLs

In order to filter out emails containing specific URLs, the following patterns may be used:

(http|www)(.*)(\.php)

This pattern will detect all URLs that contain the .php extension.

(http|www)(.*)(ebay)

This pattern will detect all URLs that contain the word ebay.

Filter out emails containing credit card information

In order to filter out credit card information, the following pattern may be used:

^(?:4[0-9]{12}(?:[0-9]{3})?|(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11})$ 

It is composed of the following blocks

• Visa:

  4[0-9]{12}(?:[0-9]{3})?

• MasterCard:

  (?:5[1-5][0-9]{2}| 222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}

• American Express:

  3[47][0-9]{13}

• Diners Club:

  3(?:0[0-5]|[68][0-9])[0-9]{11}

• Discover:

  6(?:011|5[0-9]{2})[0-9]{12}

• JCB:

  (?:2131|1800|35\d{3})\d{11}

Filter empty return paths in the email headers

In cases of Backscatter / NDR attacks, spammers may be using empty return-to headers to circumvent spam filters. The Advanced Content filtering system can prevent that by using the following technique:

• Create a new rule, name it, and choose Header and Contains as the condition
• Enter R e t u r n - P a t h :  < > as the value for the rule
• Apply the rule for Inbound, Outbound and Internal
• Configure the spam action in the Actions tab as desired
• Apply the changes
• Repeat the above steps and create another rule by using "Return-Path: <>" as the value
  Note

  This value is missing the spaces between the characters

To ensure the efficiency of this rule, make sure the following extra steps are performed:

• Ensure that the Directory Harvesting filter is enabled. 
• In the Directory Harvesting filter node, change the Block if non-existent recipients equal or exceed value from 2 to 1
• Ensure that the Microsoft Exchange Recipient Filtering is disabled.