Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 1259 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

REGEX for emoji's in subject line

Yogi_Bear_79 
Here's an example. We get numerous variations of senders (all gmail) and subjects (usually consistent for a few days).  One common factor is that Green Heart Emoji.  I have tried various REGEX's to catch it.  There was another one that had the green heart and was for CLIPPERPRO toenail clippers. We get about 20 a day. The regex never catches on CLIPPERPRO or tonail either. Sometimes, it would catch them if they were being bounced as undelivered.  

smtpd[5461]: SCANNER[5461]: 1m6ogm-0001Q5-3y <= nguyenthilinh13081994@gmail.com R=1m6ogb-0001PW-1e P=INPUT S=68404 2021:07:23-02:29:40 smtpd[5461]: SCANNER[5461]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="209.85.217.67" from="nguyenthilinh13081994@gmail.com" to="" subject="Green heart Discover a Better, Faster Way to Eliminate Neck Pain!" queueid="1m6ogm-0001Q5-3y" size="68404"


Another note, now most of these get caught in quarantine as spam if they are undeliverable
smtpd[5461]: SCANNER[5461]: 1m6ogp-0001Q5-F0 <= R=1m6ogm-0001QC-1q P=INPUT S=80522 2021:07:23-02:29:43 smtpd[5461]: SCANNER[5461]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="" from="" to="nguyenthilinh13081994@gmail.com" subject="Undeliverable: Green heart Discover a Better, Faster Way to Eliminate Neck Pain!" queueid="1m6ogp-0001Q5-F0" size="80522" reason="as" extra=""


This thread was automatically locked due to age.
  • 0

    The code for that emoticon is 1364189d2f614533a50484dc4975342f - does using that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I sent a couple to myself from outside and it did not block them, I have not come across that code anywhere. Is there a reference you can share? The spammer has mixed it up over the last few days with new emojis as well.  I sent an example to Sophos, but have not heard anything. I really not seeing why it is not picking up on either the emoji or simple text from the subject lines. 

  • 0

    If you Edit your first post, you can select 'Tools >> Source code' and that lets you see the emoticon code.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'm out of ideas to block these. Any other ideas out there?  Header below, i can provide an actual example as well, they are HTML formatted. and they change various things from time-to-time. sender varies (always gmail), the subject matter, and the destination URLs. But they;re obviously all the same

    Received: from
    with Microsoft SMTP Server (version=TLS1_2,
    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.5 via Mailbox
    Transport; Wed, 4 Aug 2021 12:24:22 -0400
    Received: from
    with Microsoft SMTP Server (version=TLS1_2,
    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.5; Wed, 4 Aug 2021
    12:24:22 -0400
    Received:
    with Microsoft SMTP Server id 15.2.858.5 via Frontend Transport;
    Wed, 4 Aug 2021 12:24:22 -0400
    Received: from mail-ej1-f68.google.com ([209.85.218.68]:33522)
    by with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.94.2)
    (envelope-from <phanhung11081974@gmail.com>)
    id 1mBJgq-0007gx-1n
    for ; Wed, 04 Aug 2021 12:24:20 -0400
    Received: by mail-ej1-f68.google.com with SMTP id hs10so4670855ejc.0
    for ; Wed, 04 Aug 2021 09:24:20 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=gmail.com; s=20161025;
    h=mime-version:from:date:message-id:subject:to;
    bh=NlrdQOCVaAlQqGzRGHxJlV0SowrxmyL0uxi7Ocw/V84=;
    b=vNvqxpjnhpZdN85GoJw90yWaMR4UcC6xJKFemHvRznOyb/GoAQxmWJ4rj3ZFgOlgbB
    w5KqzxYCCnnwC6rV8oRoLOR0VXvQP+WwDVqkPvMkGJfJRTgrPfTLzsEA6vXzuHaUPWmL
    ST2UUcz6pc0pViLXyPI8cI8YkhX5R9lhyNdVk3bhbahIeAILRAjJSeHEHDyBYfu0nmzt
    zDZWbbnWQFovABG1/cGj8sFojPJahQYq6mISJEiBZZtVsoGLoSgztv1VOE9mJFdlW5iF
    ZPJZMxWzL7Mc7D9znQdLqSJ1fjIuurZJlncZydDw9ZoL4K29w3VgRE6F5E2Zf9PPKNQ7
    TIOw==
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=1e100.net; s=20161025;
    h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
    bh=NlrdQOCVaAlQqGzRGHxJlV0SowrxmyL0uxi7Ocw/V84=;
    b=VXSnQFO7zeiZTRsjcEwElyF9JB7JA7nHiaufZyJhGOVNzNW6SStAPLxdqotmmnyQbW
    72RzaRl36mFdG56ChvJT02/s7Y1XpJaTUWaRczuuDAL8vZnFjcyZwBfdM+A+l5JgjsJr
    1dGE/e3ptnWGxWxjWlyVZavk/p6SS417KRsTHlMlhIa+bAJ1cyjrpldaNOs9DGelRPX3
    jZ6mLkk4ZbbWjrAIip9JNErM8GQ9Z2QY3ZBYCmlFo4uhpwsA0SApS56AAUPD5XbpR35F
    kBEvDVyhHSO1g+ugErfajZ9Hh9dPLuGe49SNIo3SDYZmVQ63+tZyNdP4t2dG/ykXUFX5
    4gdg==
    X-Gm-Message-State: AOAM530TfmgPkMWrXEyoz9nYuGuHrF8/qlcgB6Pihb/3aFB7xrq+cmMv
    9RHzEit5BBwMPR3ns5iw37xs7DUaKCJ2GSjP8bM=
    X-Google-Smtp-Source: ABdhPJyioTjR3XP4LtJD2Km90k5FCyce6UCIBznH4X0+kW+3nSXxuoaL4IHytW7PSn6vFHLLq3cVM8D03Y0rGmzJ1Ys=
    X-Received: by 2002:a17:906:64a:: with SMTP id t10mr48600ejb.5.1628094258860;
    Wed, 04 Aug 2021 09:24:18 -0700 (PDT)
    Received: from 310656366328 named unknown by gmailapi.google.com with
    HTTPREST; Wed, 4 Aug 2021 09:24:17 -0700
    Received: from 310656366328 named unknown by gmailapi.google.com with
    HTTPREST; Wed, 4 Aug 2021 09:24:16 -0700
    MIME-Version: 1.0
    From: phanhung11081974@gmail.com
    Date: Wed, 4 Aug 2021 09:24:17 -0700
    Message-ID: <CAFDxp0_MQrNCrCo0zyJ3yWfGjS08StV7AacNZAdzsEJE_JyQHA@mail.gmail.com>
    Subject: =?UTF-8?Q?=F0=9F=92=9A_Relieve_Neck_and_Body_Pain_While_Working_=2D_Anyw?=
    =?UTF-8?Q?hen_Anywhere?=
    To: undisclosed-recipients:;
    Content-Type: multipart/alternative; boundary="000000000000f5d87e05c8be3bdb"
    BCC: <>
    Return-Path: phanhung11081974@gmail.com
    X-MS-Exchange-Organization-Network-Message-Id: 3704d6c3-aaf0-4e49-ee16-08d957645195
    X-MS-Exchange-Organization-AuthSource:
    X-MS-Exchange-Organization-AuthAs: Internal
    X-MS-Exchange-Organization-AuthMechanism: 10
    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
    X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.1770303
    X-MS-Exchange-Processed-By-BccFoldering: 15.02.0858.009

Unfiltered HTML