Lately, we have received many inquiries regarding the filtering of display names in emails. The display name in your email client (e.g. Outlook) is actually the From: field of the MIME email header. The MIME headers can be retrieved by selecting View | Options in Outlook (“Internet Headers”). To check the MIME headers in other clients, please visit this page). Example:
From: “VIAGRA \(c\) Best Supplier” (email@address)
You can filter this MIME From: field using the Keyword Blacklist of ORF:
1. Download the filter expression by right-clicking this link and selecting “Save link as…” (XML file)
1. Start the ORF Administration Tool
2. Expand Configuration / Tests / Tests in the left navigation tree and make sure the Keyword Blacklist test is enabled
3. Select Configuration | Import | Keyword blacklist… from the main menu, or navigate to Configuration / Filtering – On Arrival / Keyword Blacklist, right-click in the expressions box and select “Import list…”
4. Select the XML file you downloaded and click Open
5. If you already have some expressions in the list, you will be prompted “Do you want to overwrite…?”. Click “No” (otherwise your current expressions will be wiped out)
6. Press Ctrl + S to save and apply the configuration changes (pre-4.3 users should press Ctrl + U)
And that’s it: the expression above will block any emails, which have “Viagra” in their MIME From: email header line.
However, I should point out that we suggest relying on automated tests of ORF (like DNS and URL blacklists) as much as possible instead of adding keyword filtering expressions every time you receive a new type of spam (and instead of adding the sender to the Sender or IP Blacklists), so you should probably read our best practices guide regarding the recommended configuration if you have received such spam we mentioned above (“viagra” in the display name).
Our own ORF instance at Vamsoft (which is configured according to the guide) caught all of these using automated tests ;)
UPDATE: some of you guys reported that the regex doesn’t work: that’s because the expression above is altered by our blog engine, WordPress (it replaces the double quote characters with left double quotation marks). To work this around, download this XML file from the link and import it to your Keyword Blacklist.