I notice there is not much who and what object example available in the forum. Just want to share some that I am currently using now.
The objects may cause some false position, I would to set quarantine instead of block.
Others can share their objects too.
Who Object:
Regex:
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.ae(\W|$)
- Match any domain end with .ae.
(^)james_otc.*@yahoo.com($)
- Match regex mail from yahoo
What Object:
Match Filename:
.*\.(ace|adp|app|asp|ba[st]|cer|chm|cmd|cnt|com|cpl|crt|csh|der|dll|exe|fxp|gadget|hlp|hpj|hta|in[fs]|img|isp|its|jse?|ksh|lnk|ma[dfgmqrstuvw]|md[detwz]|msc|msh|mshxml|msh[12]|msh[12]xml|ms[ipt]|ops|osd|pcd|pif|plg|prf|prg|pst|reg|sc[frt]|sh[bs]|ps[12]|ps[12]xml|psc[12|]tmp|url|vb[eps]?|vsmacros|vsw|ws[cfh]?|xnk|ade|cla|class|grp|jar|mcf|ocx|pl|xbap)
- Match above attachment extension.
.*\.(htm[l]?)
- Match all .html attachment.
Match field:
subject=(?i)(\W|^)([\w.\-]{0,25}?testing\.com)(\W|$)
- Match subject with domain name.
Example: Account Blocked xxx@testing.com 6/24/2020 3:38:07 a.m.
subject=(?i)(\W|^)(ages?|activated?|annoy|asap|attack.*|attentions?)(\W|$)
- Match subject with above words.
subject=(?i)(\W|^)(free shipping)(\W|$)
- Match subject with above sentence.
subject=(?i)(\W|^)(rm|rm.\d+|\$|\$.\d+)(\W|$)
- Match subject with $ or RM sign.
Example: BOOK NOW, PAY LATER To Enjoy Great Savings! From RM138. Limited Time Offer. CLICK To BOOK NOW
subject=(\!|\?|\.)$
- Match subject end with ! or ? or .
Example: A New Order Has Just Arrived!
subject=(?i)^(do|in|hi|hey|how|our|my|are|is|last|please|to|free|we|what|want)(\W|$)
- Match subject start with above words.
Example: Do you see what we see? Money Mule
subject=(\W|^)(\d+.\%)(\W|$)
- Match subject that contain % sign.
Example: Cut 45% Cost from Sanitizer Expenses
subject=(\W|^)(.*\!|.*\?)(\W|$)
- Match subject that contain ! or ? sign.
Example: Do you see what we see? Money Mule
subject=(?i)^(\d+)(\W|$)
- Match subject start with number
Example: 10 questions L&D detectives must ask
The objects may cause some false position, I would to set quarantine instead of block.
Others can share their objects too.
Who Object:
Regex:
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.ae(\W|$)
- Match any domain end with .ae.
(^)james_otc.*@yahoo.com($)
- Match regex mail from yahoo
What Object:
Match Filename:
.*\.(ace|adp|app|asp|ba[st]|cer|chm|cmd|cnt|com|cpl|crt|csh|der|dll|exe|fxp|gadget|hlp|hpj|hta|in[fs]|img|isp|its|jse?|ksh|lnk|ma[dfgmqrstuvw]|md[detwz]|msc|msh|mshxml|msh[12]|msh[12]xml|ms[ipt]|ops|osd|pcd|pif|plg|prf|prg|pst|reg|sc[frt]|sh[bs]|ps[12]|ps[12]xml|psc[12|]tmp|url|vb[eps]?|vsmacros|vsw|ws[cfh]?|xnk|ade|cla|class|grp|jar|mcf|ocx|pl|xbap)
- Match above attachment extension.
.*\.(htm[l]?)
- Match all .html attachment.
Match field:
subject=(?i)(\W|^)([\w.\-]{0,25}?testing\.com)(\W|$)
- Match subject with domain name.
Example: Account Blocked xxx@testing.com 6/24/2020 3:38:07 a.m.
subject=(?i)(\W|^)(ages?|activated?|annoy|asap|attack.*|attentions?)(\W|$)
- Match subject with above words.
subject=(?i)(\W|^)(free shipping)(\W|$)
- Match subject with above sentence.
subject=(?i)(\W|^)(rm|rm.\d+|\$|\$.\d+)(\W|$)
- Match subject with $ or RM sign.
Example: BOOK NOW, PAY LATER To Enjoy Great Savings! From RM138. Limited Time Offer. CLICK To BOOK NOW
subject=(\!|\?|\.)$
- Match subject end with ! or ? or .
Example: A New Order Has Just Arrived!
subject=(?i)^(do|in|hi|hey|how|our|my|are|is|last|please|to|free|we|what|want)(\W|$)
- Match subject start with above words.
Example: Do you see what we see? Money Mule
subject=(\W|^)(\d+.\%)(\W|$)
- Match subject that contain % sign.
Example: Cut 45% Cost from Sanitizer Expenses
subject=(\W|^)(.*\!|.*\?)(\W|$)
- Match subject that contain ! or ? sign.
Example: Do you see what we see? Money Mule
subject=(?i)^(\d+)(\W|$)
- Match subject start with number
Example: 10 questions L&D detectives must ask
Last edited:
