Have you considered a whitelist of the common domains instead. As you say the list of non common domains can get quite long and new ones are added from time to time so you'd be constantly updating a blacklist approach.

You could lower your Spam thresholds by 3 and create rules for .com, .net etc and give them a weight of +3 negating the threshold decrease.

I hate to do any whitelisting as there is plenty of spam that comes from those top level domains.  I'd just like to automatically assume something is spam if it is not coming from one of these domains, which is the case pretty much all the time for us. 

You would still run all other Spam checks so mail from .com gets checked just as it does today, it's not a bypass e.g.

Today - Spam low = 10 - Spam high (and deleted) = 20

Mail from .com - CBL fail weight +10 - score 10 - marked as Spam low

Mail from .ru - no RBL match - score 0 - delivered to the inbox

With whitelisting - Spam low = -10 - Spam high (and deleted) = 0

Mail from .com - CBL fail weight +10 - .com whitelisted source -20 - score -10 marked as Spam low

Mail from .icu - no RBL match - score 0 - Spam high and deleted

Does that make sense?

I used .icu as that's the latest domain I've seen abused and with the whitelisted option it's deleted by default.

Hi,

I'd recommend testing this thoroughly before use, but I believe this is the Regex you are looking for.

From:[^@\r\n]+@(\w{2,}\.)*+(?!(com|net|gov|edu|org)[^\w\.]?)

Thank you Alex, it looks like we're really close.  This regex string does exactly what I was looking for when searching on regex101.com or in notepad++.  On the server, though, I'm getting the following error in the delivery logs:

System.ArgumentException: parsing "From:[^@\r\n]+@(\w{2,}\.)*+(?!(com|net|gov|edu|org)[^\w\.]?)" - Nested quantifier +.

I'm not the best at regex so any ideas are appreciated.

Thank you

Hi,

It appears that .NET doesn't support possessive quantifiers.

Here is an updated Regex that replaces the possessive quantifier with an atomic group:

From:[^@\r\n]+@(?>(\w{2,}\.)*)(?!(com|net|gov|edu|org)[^\w\.]?)

If you'd like to know the meaning of this, I used the possessive quantifier (*+) to force the regex to capture all the way to the last period in an email address. This prevents backtracking, disallowing the regex from trying to match before the last period, and so the tld can be properly checked without the regex falling back to a domain/subdomain for a match. An atomic group ((?>)) achieves the same outcome.

I made a slight modification to the string as it was flagging domains containing a hyphen.  So far this seems to be working very well although I am still running it on my testing server to see if any other surprises pop up.

From:[^@\r\n]+@(?>(\w.{2,}\.)*)(?!(com|net|gov|edu|org)[^\w\.]?)

Thank you for all the help in getting this going!