Use a Regular Expressions filter to block email spam for .EU domains
September 14, 2014
This is a brief article describing a technique I use to block the current spate of email spam containing links to domains ending in the .EU (Europe) extension. It also demonstrates how to block certain other domains commonly used by Russian and Ukrainian spammers and cybercriminals.
I'd like to point out that spam operations that are based in Russia and The Ukraine have for a long time been setting up websites ending in the domain extension .RU (Russia). I still detect and delete a lot of .RU domain link email spam messages. But, the trend seems to be shifting now to spammers registering domains ending in .EU (Europe). Perhaps the rules for registering those domain names is less stringent than those required to obtain a .RU domain (Proof of Russian citizenship or residence).
Whatever the reason for the change in domain extensions, the outcome is the same. If you click on a link in an email spam message for weight loss panaceas, the .EU web page you land on will look exactly the same as one ending in a .RU domain name. That's because almost all of the weight loss scams and fake pharmacy sites are built using the same templates. Even the script names are the same on most of these spamvertised websites.
If your email system/provider/client allows you to create Regular Expressions spam filters, use the ones I've created to block virtually all spam containing links to .EU (and Russian) domains.
Wiz's Regular Expressions spam filter for .EU spam domain links.
For web-mail systems (using a web browser), log into your email account and locate its options link. Look at all available options for blocking spam, and see if one exists that allows for Regular Expressions. If so, start a new spam filter, where the message body contains, or matches this Regular Expression (aka: RegExp): http://[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.eu/\?.+
If you use a desktop email "client," like Microsoft Outlook, or Mozilla Thunderbird, which allow for complex spam rules, or if you use the desktop spam filtering program MailWasher Pro, open the program, locate where you create spam or email filtering rules, and add this filter for the message body contains or matches the RegExp: http://[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.eu/\?.+
If you receive your email via a website you have hosted by a major Apache server based web hosting company, like Bluehost, you will likely have some advanced account or user spam filtering options available in your cPanel {control panel). My websites are hosted by Bluehost and here is how I am filtering out 100% of spam with links to .EU domains.
- Log into your (shared, VPS, dedicated, etc) hosting account.
- Go to your Control Panel (cPanel) and find the Email section
- Look for an icon labeled Account Filtering, or similar.
- Click on the filtering icon and find a link to create a new email filter.
- Create a new filter and give it a name, such as: ".EU Spam Domain Link"
- Create a rule for the message "Body"
- Select the criteria: "matches" or "contains" or "containing" Regular Expression (or RegExp)
- Copy and paste: http://[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.eu/\?.+
- Choose if you want to Discard the message, or reroute it to another junk email account you may have created.
- SAVE the filter
- Go back to the filters page. The filter should begin deleting or redirecting all spam messages containing .EU links matching my filter, within a few minutes.
I know that spammers change the nature of their links from time to time. As that happens, I will update my spam filters. This is especially true for the custom MailWasher Pro spam filters I write and publish.
Here is another spam domain link filter that detects a broader range of domain extensions used by Russian and Ukrainian spammers. It consists of three separate lines of Regular Expressions for the message body. Set the filter to Body, Contains/Matches/Containing Regular Expression. Set the multiple lines to the OR condition, so any match will trigger the filter.
- http://(www\.)?(.+\.r[uo]/|.+\.r[uo](\r|\n|\s)|.+\.ua)|.+\.[se]u(/|\b)|.+\.by(/|\b)
- www\.[a-z0-9-]{1,16}\.ru(/.+)?
- <a href=(3D)?'[a-z0-9\.]{4,}\.ru'>
Set the action to either discard or reroute to your junk email account.
Note, that this filter set also detects the .EU spam, just in a different way.
I hope this helps keep you and yours safe from possibly dangerous drugs and herbs being spamvertised all the time. Never, ever buy anything that arrives via unsolicited spam email for dubious websites! Watch out for bad spelling and grammar. They are usually dead giveaways that something is wrong.