Tales from Tech Support: Part 9 – Filtering the Display Name (Updated)

Lately, we have received many inquiries regarding the filtering of display names in emails. The display name in your email client (e.g. Outlook) is actually the From: field of the MIME email header. The MIME headers can be retrieved by selecting View | Options in Outlook (“Internet Headers”). To check the MIME headers in other clients, please visit this page). Example:

From: “VIAGRA \(c\) Best Supplier” (email@address)

You can filter this MIME From: field using the Keyword Blacklist of ORF:

1. Download the filter expression by right-clicking this link and selecting “Save link as…” (XML file)
1. Start the ORF Administration Tool
2. Expand Configuration / Tests / Tests in the left navigation tree and make sure the Keyword Blacklist test is enabled
3. Select Configuration | Import | Keyword blacklist… from the main menu, or navigate to Configuration / Filtering – On Arrival / Keyword Blacklist, right-click in the expressions box and select “Import list…”
4. Select the XML file you downloaded and click Open
5. If you already have some expressions in the list, you will be prompted “Do you want to overwrite…?”. Click “No” (otherwise your current expressions will be wiped out)
6. Press Ctrl + S to save and apply the configuration changes (pre-4.3 users should press Ctrl + U)

And that’s it: the expression above will block any emails, which have “Viagra” in their MIME From: email header line.

However, I should point out that we suggest relying on automated tests of ORF (like DNS and URL blacklists) as much as possible instead of adding keyword filtering expressions every time you receive a new type of spam (and instead of adding the sender to the Sender or IP Blacklists), so you should probably read our best practices guide regarding the recommended configuration if you have received such spam we mentioned above (“viagra” in the display name).

Our own ORF instance at Vamsoft (which is configured according to the guide) caught all of these using automated tests ;)

UPDATE: some of you guys reported that the regex doesn’t work: that’s because the expression above is altered by our blog engine, WordPress (it replaces the double quote characters with left double quotation marks). To work this around, download this XML file from the link and import it to your Keyword Blacklist.

8 thoughts on “Tales from Tech Support: Part 9 – Filtering the Display Name (Updated)

  1. Doug

    This is exactly what I am trying to do. However, when I took my header and pasted it in the test section the above RegEx did not find a match. Using Expresso I created the RegEx .*From:\s*.*V(?:i|1)(?:a|@)gr(?:a|@) that does find a match.

  2. randy

    Hello Krisztian,
    I’m needing to block the Viagra From: line as well. The regular expression you have provided does not catch the phrase viagra in my ORF configuration as well. I did a cut and paste from your article. Thanks for any info you can provide, and great blog site by the way

  3. Krisztian Post author

    @randy: what does the ORF log indicate for this email? (You can check it using the ORF Log Viewer). Note that if the email is whitelisted, the keyword filtering will never be triggered. Also, could you paste the “From:” header line of this email please (which made it through ORF with “viagra” in the MIME display name)?

  4. Krisztian Post author

    I made a more advanced regex for you guys, try this one:


    This checks different double-quotes characters in the From line, and different variations of the word “viagra” (it catches V1@gra as well for example).

  5. Krisztian Post author

    Alright, I think I found the cause of the problem: the blog engine (WordPress) alters the regex! Please see the update part of the original post above for the solution.

  6. randy

    This is a great tip and I have literally prevented hundreds of spam mails from comiing in to my network. My question is what to use to create the regular expressions when i want to block another FROM: entry such as vicodin, percocet or whatever in theworld it vould be next. Creating the advanced RegEx you did previously is way above my pay grade or knowlege Thanks!!

  7. Pingback: keyword filtering

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code