Filtering Spam by keyword in Microsoft Exchange Server

The latest wave of blackmail scam emails is becoming a genuine PITA. Script-kiddies are harvesting email addys, username and password combinations from the released lists from hacked sites like LinkedIn or MySpace or via dictionary attacks on mail servers and then sending out blackmail emails. They are kinda comical unless you happen to be really stupid and are in the habit of going to pornhub for 10 minutes at a time. There must be enough of those kind of lusers to make it profitable… Here are some sample emails.


I’m a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.
This is your password from on moment of hack: wordpass


My nickname in darknet is smelly33.
I hacked this mailbox more than six months ago,
through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

I do know wordpass is your passphrase. Lets get directly to point. You may not know me and you are probably thinking why you are getting this e-mail? No one has compensated me to investigate about you.

hello, my victim.

I write you because I buried a virus on the web site with porno which you have viewed.
My trojan captured all your private data and turned on your webcam which recorded the act of your solitary sex. Just after that the malware saved your contact list.
I will erase the compromising video and information if you pay me 400 USD in bitcoin.

And they all go on to tell how they put some sort of spyware on your computer. They then turned on your camera and recorded you as you masturbated while viewing a porn site and now they are going to send the video to all of your contacts and blah blah blah. In order to prevent this you have to send bitcoins to a one off wallet address. I’ve only had one user sound like he was taking all of this seriously, the rest just find it annoying. And the script-kiddies just don’t seem to give up, these emails just keep on coming (much like my concerned user).

What alerted me to a potential serious breach was at one site these messages started arriving in mailboxes that were not publicly used. So either from a dictionary attack or by a user that was using their domain password at another site that was compromised they had obtained a valid user – password combination. They would have used this in order to obtain the company addressbook and where now targeting the entire site. Wholesale panic ensued and we forced a password change on all of our users. The account was an administrative account and because the site had the SBS 2011 suite on it they would have had access via the Remote Web Access site with all of the Files, OWA, and RDP connections. Fortunately the script-kiddie didn’t know what he had (us by the cojones). Whew!

It still leaves us with the constant barrage of emails that the rest of the users at the site find so annoying.

The solution is simple. What every one of these emails have in common is that they are asking for payment in bitcoin. All you have to do is filter the mail by keyword and redirect every email that has that word in it to another account for review. We used a system account but I was tempted to direct them to the user that had the original weak password.

Open up the Exchange Management Console / expand out Organization Configuration / highlight Hub Transport / click on the Transport Rules tab.

Click on the New Transport Rule – name it “Filter out BITCOIN messages” – comment like “Re-direct any messages with the word BITCOIN in them” – click Next>

Under Conditions check the “when the Subject field or message body contains specific words” and then click on the blue highlight ‘words’ – put the word bitcoin in – and add it – click Next>

Under Actions check redirect the message to addresses box – click the ‘address’ and change it to an account that will get monitored – go Next>

I added under Exceptions except when the message is users that are inside or outside of the organization and excepted internal users.

Click Add and Finish. To ensure that it takes effect right away open up the computer management console or services MMC and restart the Exchange Transport Service.

You can also add the rule via the Exchange Management Shell with the following command.

New-TransportRule -Name ‘Filter out BITCOIN messages’ -Comments ‘Re-direct any messages with the word BITCOIN in them’ -Priority ‘0’ -Enabled $true -SubjectOrBodyContainsWords ‘bitcoin’ -RedirectMessageTo ‘’ -ExceptIfFromScope ‘InOrganization’

Now go slap the user with the weak password on the side of the head and tell him/her to use strong passwords and not to reuse their domain password on the Internet. Show them this. Also tell them that you will be watching them via their monitor as in

Update: The spammers have resorted to obfuscating the word bitcoin by using non printing HTML. For instance “Bi=9Dtco=9Din”. Exchange server has limited regular expression capabilities but it isn’t up to the task. I’ve also seen the old trick of embedding graphics files with the content of the spam message in them. We have had limited success by filtering out messages with 4 or 5 keywords from the spam emails, for instance, “USD” “video” “contacts” “paid”, that are not mangled.

Update 2: We updated our MSME (MacAfee Security for Microsoft Exchange) and applied stronger filters. That has really helped.