This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM AntiSpam Expression Filter not scanning for links

We are using UTM 9.706-9. We get a lot of spam that has dynamically created envelope-from addresses, like The next email is coming from dyn2 and so on. Because the sender blacklist doesn't allow for wildcards in the domain, I can't get them blocked this way.

Because the domain ( shows up in the body of the email most of the time, I added "spamdomain" as an expression (also as regex like ".*spamdomain.*"). If this keyword shows up as regular text, the filter triggers. However, if it is embedded in an href link, which it is almost every time, it's not. I just want to have confirmation, that this is the way the expression filter works and I'm not making a mistake.

If this is true, do you have any suggestion on how to catch these spam emails? The content is different every time so there is no point in using other keywords.

Thank you.


This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    I'd suggest you open a support case at, include some original sample spam emails in .eml formate and SMTP logs. Also, provide a support access id with your case. Once you have a support case number, please share the case number with me via personal message. 


  • Hallo Michael and welcome to the UTM Community!

    You're understanding correctly.  I agree with Harsh that you need experienced eyes on the SMTP log and headers of spam emails to find a way to fight this spammer.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA