Using Regular Expressions for email processing in Email Threat Protection

Using Regular Expressions (REGEX, REGEXP) 


A regular expression is a special text string for describing a search pattern. You can think of regular expressions as hypersonic wildcard searches. Programmers and technical email administrators with programming experience in your organization can use these regular expressions to rapidly search through your emails for items of interest.  Here are some basic to exotic examples of how to use Regular expressions to perform specific filtered email searches:


Example 1:    Find any email with the word cat in it.




Example 2:    Find any email with any of the words cat or dog in it.




Example 3:    Find any email with the words cat or dog followed by bird in it.


(?i)(cat|dog) *(bird)


Example 4:    Find any email with words or combinations that begin with th and end with s in it.




Example 5: Find any SSN in the format of XXX-XX-XXXX in it.




Example 6: Find any 5 or 9 digit zip code in it.




Example 7:    Find any simple formatted phone number in the format of (XXX)XXX-XXXX in it.




Example 8:    Find any normally formatted phone number within the united states in it, including long distance prefixes and differently formatted area codes.




Example 9:   Find any normally formatted email address contained in it.




Example 10:   Find any email that has a URL imbedded in it.


(?i)\b (https?|ftp|file)://[-A-Z0-9+&@#/%?=~_|!:,.;]*[-A-Z0-9+&@#/%?=~_|]


Example 11:   Find any email that has date designations in it.




Example 12:   Find any email that has a valid IP address in it.




Practical Application:  

Using the Email Threat Protection REGEX Email Filtering engine to perform email redirection operations.


AppRiver’s Regular expression engine is designed for programmers and technical administrators with programming ability to input search term parameters and have the system perform specific actions based on the search terms being found.  The sample provided below demonstrates the successful application of one of these regular expression search terms and it’s beneficial use in routing email.


Scenario:  John Smith, who works at XYZ Company, Inc. is a project manager who manages multiple high level projects for the company.  John has a high priority project assigned to him called PROJECT PHOENIX.  Because of the sensitive nature of this project and it’s vital communications requirements, John needs any of his inbound emails that has the key word PHOENIX in it to be immediately copied to a special project oversight email address.  This email address is:

In order to accomplish this task, John logs onto his Email Threat Protection interface for his company and performs the following actions:

1. From the summary screen, John selects Tools > Final Processing/mail Rules.

2. John then adds a rule that contains the following information.

  •  Condition = BODY

  •  Equals = MATCHES REGEX

  •  Parameter = (?i)(phoenix)

  •  Action = copy

  •  Action Value =

The tested and validated rule, when completed, would look like the one pictured below:


John would then click the Add a Rule button to activate the email processing rule. With this rule active, John is assured that all inbound emails that reference the key word PHOENIX will be copied to the appropriate project email account for centralized storage.

For more information, you can find a Regular expression tutorial at the following link:

It is also strongly recommend that you use the link provided below to completely test your regular expression formulations prior to applying them in the production portion of your Email Threat Protection anti-spam interface.


Regular Expression Syntax Reference Card






 Match any single character



 Match anything but white space character







 Match one of a set of characters



Vertical tab


 Negate a set of characters



Match any alphanumeric character, digit or underscore


 Define a range of characters eg. [0-9]



Opposite of \w


 Escape the next character



Match a hexadecimal number




Match octal number


 Match zero or more of the previous character




 Lazy version of *



Define subexpression


 Match one or more of the previous character



Match nth subexpression


 Lazy version of +





 Match zero or one of the previous character



Negative lookahead


 Match exact number of instances




 Match a range of instances



Terminate \L or \U


 Match n or more instances



Convert next character to lowercase


 Lazy version on {n,}



Convert all characters up to \E to lowercase




Convert next character to uppercase


 Match  start of string



Convert all characters up to \E to uppercase


 Match start of string




 Match end of string



Multiline mode


 Match end of string




 Match start of word



Any letter or digit


 Match end of word



Any letter


 Match a word boundary



Space or tab


 Opposite of \b



ASCII control 




Any digit





Any printable character


 Match a control character



Same as [:print:] but excludes space


 Match any digit



Any lower case character


 Opposite of \d



Any character that is in not [:alnum:] or [:cntrl:]


 Form feed



Any whitespace character including space


 Line feed



Any uppercase character


 Carriage return



Any hexadecimal digit


 Match any white space character