EOL Transport rule to trap spam with these characteristics?

Occasional Contributor

My users are being bombarded by spam which has some very specific characteristics. I'm desperate to create a transport rule which silently deletes emails which have this pattern


1) The sending domain is one of the webmail services like gmail.com, yahoo.com, yahoo.co.jp, outlook.com

2) The subject line is blank, 'Re:' or 'Fwd:' (sometimes in upper case)

3) The message body has some brief random text plus a hyperlink, often shortened to http://goo.gl or https://goo.gl


So far, all my attempts at rules which look for this combination of characteristics have failed :(


The way the message body is encoded is as follow, don't know if that confuses attempts to search?


<div dir="auto">Enquiry https://goo.gl/x1MCK7 <div dir="auto"><br></div><div dir="auto">Ramin Marjan</div></div><br><div class="gmail_quote"><div dir="ltr">---------- Forwarded message ---------<br>From: <strong class="gmail_sendername" dir="auto">Ramin Marjan</strong> <span dir="ltr">&lt;<a href="mailto:nraminnottingham@yahoo.co.uk">raminnottingham@yahoo.co.uk</a>&gt;</span><br>Date: Sunday, February 10, 2019 06:00:46 PM
1 Reply

The problem here is coming up with an exact match, which is where Regex is very useful. It might be a bit hard to grasp if you haven't dealt with regex previously, but here's a nice article with examples of what you can do with transport rules and regex: https://windowsserveressentials.com/2017/03/28/using-office-365-to-protect-your-email/