Help w/ Content Filter

Unanswered Question
Apr 10th, 2008
User Badges:

With all the phishing emails going on, we have been hit at least weekly for the past 2 months, I'd like to create an Incoming Content Filter to quarantine these. From looking at the messages they all seem to have the word "password:" on a line by itself.

I've added a content filter to search for that phrase, send me a copy of the message and then deliver the message. I've done this as a test and to my surprise have found 10-20 valid messages per hour with this string!

What is different about the phishing string and valid string is that for valid email, the word password: is followed by more text.

So, my question is how do I create a content filter where the entire line is any one of these? I'd even settle for one of them.

password:
Password:
password:
Password:

The last two lines have a space after the colon.

I've tried "^[Pp]assword:$" without the quotes but it doesn't work.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pat_ironport Fri, 04/11/2008 - 10:38
User Badges:

Are you looking for Case-insensitivity?


Case-insensitivity (?i)
The token (?i) that indicates the rest of the regular expression should be treated in case-insensitive mode. Placing this token at the beginning of a case-sensitive regular expression results in a completely insensitive match.
For example, the regular expression “(?i)viagra” matches Viagra, vIaGrA, and VIAGRA.
lrosenstein Fri, 04/11/2008 - 15:59
User Badges:


I've tried "^[Pp]assword:$" without the quotes but it doesn't work.


It's likely the end of the line has a carriage return + line feed, and the "$" only matches the line feed. Try changing it to: "^[Pp]assword:\s*$". (If you're using a message filter you will need to double the "\".) This will also take care of cases where there is a space at the end of the line.

Actions

This Discussion