Help w/ Content Filter

oh_ironport · ‎04-10-2008

With all the phishing emails going on, we have been hit at least weekly for the past 2 months, I'd like to create an Incoming Content Filter to quarantine these. From looking at the messages they all seem to have the word "password:" on a line by itself.

I've added a content filter to search for that phrase, send me a copy of the message and then deliver the message. I've done this as a test and to my surprise have found 10-20 valid messages per hour with this string!

What is different about the phishing string and valid string is that for valid email, the word password: is followed by more text.

So, my question is how do I create a content filter where the entire line is any one of these? I'd even settle for one of them.

password:
Password:
password:
Password:

The last two lines have a space after the colon.

I've tried "^[Pp]assword:$" without the quotes but it doesn't work.

Pat_ironport · ‎04-11-2008

Are you looking for Case-insensitivity?


Case-insensitivity (?i)
The token (?i) that indicates the rest of the regular expression should be treated in case-insensitive mode. Placing this token at the beginning of a case-sensitive regular expression results in a completely insensitive match.
For example, the regular expression “(?i)viagra” matches Viagra, vIaGrA, and VIAGRA.

lrosenstein · ‎04-11-2008

I've tried "^[Pp]assword:$" without the quotes but it doesn't work.

It's likely the end of the line has a carriage return + line feed, and the "$" only matches the line feed. Try changing it to: "^[Pp]assword:\s*$". (If you're using a message filter you will need to double the "\".) This will also take care of cases where there is a space at the end of the line.

alex.martins_ironport · ‎04-15-2008

Hi,

Installing the freeware software The Regex Coach on the site:
http://www.weitz.de/regex-coach/

This way we can always test before implementing...

Sorry for my porr english, best regards,
Alex Martins