Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Regular Expressions Examples

I thought it might be a good idea to start a thread where we can all post examples of Regular Expressions that we use to block spam. Or maybe some good web sites that we use to look up expressions. This is to help users who aren' t familiar with Regex (like I was when I first got my FG) to get them started and perhaps for all of us to find better expressions to use to keep spam to a minimum. Perhaps if this thread is useful it could be stickied to make it easier to find...
48 REPLIES 48
Not applicable

Guys, very useful.
Secure_IT_BE_Nick

Hi Rather new on the Fortimail: I use this to block email from unknown, took the example of the admin guide: ^\s*$ Check regular expression BTW: i saw a posting somewhere with the spoofed mail domain, also an example in the guide (p151): -/* -/*@domain.com ip reversednsname relay (rule that allows mail from that domain) -/*@domain.com -/* 0.0.0.0/0 -/* reject in those order. Now i' m trying to do that for a client, but he doe not have a full subnet, is there another way to do this based only on the ip address?

[link]https://www.secure-it.be[/link]

[link]https://www.secure-it.be[/link]
zaskar
New Contributor

 Hi all,
 
 does anyone know how to match Unicode characters with regular expression in 
 Antispam Banned Words?
 
 For example say I want to match the registered sign ® followed by " some 
 text"  in the subject of incoming mail:
 I tried the following patterns;
 
 /.*® some text/i
 /.*some text/i
 but it appears that a mail subject containing the ® character bypass the 
 antispam filter. 
 If I remove che ® from the test mail the second pattern block it.
 
 Pattern with the Perl pattern \u00AE is not accepted by Fortigate GUI.
 Any suggestion?
Thanks Marco --------------------------------------------- Fortigate FGT200 2.8 build 489[size=1][/size][size=4][/size]

zaskarThanks --------------------------------------------- Marco Scala Fortigate-200 2.80,build489,051027

zaskarThanks --------------------------------------------- Marco Scala Fortigate-200 2.80,build489,051027
Not applicable

I need some help here... I used the following regex to filter for links to .cn domains in incoming emails. Or well, I tried to, but it doesn' t work. /\.cn/i I also used the following to check for the word unsubscribe in the same message. Every spam that has been slipping through lately has these two elements in them. /unsubscribe/i I have given these two items a high enough score that if they are in the same message it should always be blocked. And yet they are still coming through. I probably should have started a new thread for this... but thought it might be nice to keep all of this stuff together to help someone find it in the future. Thanks in advance! Neal
abelio

Hi, what do the AS logs say? Nowadays spam includes those chinese url embedded in image files, so your regexp will fail. I' ve tried with /https?://.\w+\.\w+\.cn/i (in body) as banned word with more or less success..

regards




/ Abel

regards / Abel
Not applicable

Well my AS logs don' t say much. I can only see a log entry for when a message is determined to be spam... it doesn' t show results of the scanning process or anything. I have examined the messages that I have received and it doesn' t appear as though the links are embedded in any images. When I look at the source of the message it has those hyperlinks in it. It is strange because I have used a regex tester and verified that the syntax I use should work... and yet it' s not. seems to be the case sensitivity switch that buggers it up. I have had that problem in the past. Maybe I' ll turn that off. What does the .\w+ do? Is that roughly the equivalent to a wild card? Thanks!
abelio

Well my AS logs don' t say much. I can only see a log entry for when a message is determined to be spam... it doesn' t show results of the scanning process or anything.
we´ll expect to see something like " The email contains banned word(s).(regexp expression, etc) under " Message" column Re-check you relevant SMTP traffic profile for enabling antispam logging
What does the .\w+ do? Is that roughly the equivalent to a wild card?
\w stands for a word [A-Za-z0-9_] (alphanumeric characters plus " _" ) and + stands for matching the preceding element one or more times

regards




/ Abel

regards / Abel
Not applicable

we´ll expect to see something like " The email contains banned word(s).(regexp expression, etc) under " Message" column
I do see those in the log. Not nearly as often and I expect that I should see them when considering how many of these messages have been getting through. I read your other post in the other thread I created... I shouldn' t have double posted this. I have a number of Regexs that all have a score of 5 and the threshold is 8. I do have emails getting blocked so somehow they must be cumulative. My thinking is that it' s not cumulative from the number of reoccurences of one expression... but that there is a cumulative score between the occurences of different expressions. So in my messages, if any two regex' s occur in the same message it should get blocked. I could be wrong but that' s how I figured it.
\w stands for a word [A-Za-z0-9_] (alphanumeric characters plus " _" ) and + stands for matching the preceding element one or more times
That' s good to know. That will come in handy.
Not applicable

/https?://.\w+\.\w+\.cn/i
I tried this and it started blocking almost every URL under the sun. Then I realized that I had to use this: /https?:\/\/\w+\.\w+\.cn/i This allows the backslashes to be seen literally and not as a function. Plus I think that the first dot might have been a mistake. Not sure on that. I haven' t tested this yet but I am going to.
Not applicable

I just tested this and what ended up working for me was: /https?:\/\/.\w+\.\w+\.cn/i Not sure why the first dot was needed... but without it nothing matched. I have tested this somewhat and confirmed that it does not appear to be blocking other root domains.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors