Blocking Spam with Keyword Expressions

If these spam emails are still annoying you...

...here are some examples on how to block these using IMF Tune.

But before talking of IMF Tune, I want to first alert you of our recommendation to employ a good RBL provider together with IMF Tune. The RBL provider we are recommending right now is SpamHaus.

NOTE: IMF Tune does not provide direct support for RBLs because these are already natively supported within Exchange 2003/2007/2010. Since IMF Tune is an add-on to the Exchange built-in anti-spam we avoid providing functionality that is already natively implemented.

The reason why RBLs work well with IMF Tune is because the two filters base themselves on very different filtering technologies. Thus the two are complimentary.

If you prefer to block these directly at IMF Tune here are some ideas. Our goal here is to illustrate how keyword matching works in IMF Tune and can even be employed against emails that may at first appear to be tricky to block.

Looking at this email I can immediately pinpoint the phrase "/pill". To blacklist this at IMF Tune we would enter:
"/pill "

What is important to note here is the additional whitespace character I introduce immediately following the world pill, just before closing the double quotes. In IMF Tune that additional whitespace has a special meaning. It means that we are matching the ending part of a sequence of characters.

Another approach we could take is that of blocking the keywords VIAGRA, CIALIS and LEVITRA. Of course we cannot enter these. What we can do instead is to supply the Body blacklist the following expression:
" V C L " AND " I I E " AND " G A V " AND " R L I " AND " A I T "

What I did here was to simply group together the first letter of each of VIAGRA, CIALIS and LEVITRA forming the keyword " V C L ". Next I grouped together the second letter of each, forming the second keyword " I I E ".

The reason why I can take this approach is because many identical spam emails of this type are being sent. Even though the keywords themselves are not that meaningful, they will still do a fine job in blocking this particular wave. In this case it is also important to combine multiple keywords in order to avoid matching any legitimate three letter acronyms.

Looking back at the expression, there are some interesting points to appreciate:

1. It really does not matter how many whitespace characters are separating each character. When processing emails IMF Tune handles a sequence of whitespace characters as if there was only one such character. This is why the keyword " V C L " will match all of these:

   " V     C     L "
" V C     L "
" V     C L "

2. Again we introduce an additional whitespace character following the opening double quotes and preceding the closing double quote. This is so as to make sure IMF Tune considers each letter as a whole word rather than just one character within a multi-character word.

3. In this particular example we could have written the same expression as follows:
   " V C L " " I I E " " G A V " " R L I " " A I T "

   By default multiple keywords in the same blacklist expression are ANDed. AND here indicates that all keywords MUST be matched.

4. Instead of the multi-keyword expression in this case we could use:
   " V C L I I E G A V R L I A I T "

   Here we are telling IMF Tune to match the following sequence of whole words strictly in the specified order: " V ", " C ", " L ", " I ", " I ", etc.

   The fact that the email includes new lines separating some of these characters is irrelevant to IMF Tune.

   Also note that this expression is not exactly equivalent to the others. In fact it this is stricter. Here we are specifying the exact sequence of many characters. In the other expressions we defined a set of shorter sequences.