How do I create an email filter that filters on the content of the email body

I've been getting a lot of scam emails where the email body contains that string "suspicious security".  ...

There are lots of ways spammers use to paint text in HTML so that it appears to be a simple character string, but is actually more complicated. Likewise, ordinary character strings can be surrounded by tags that result in webmail's filters being unable to find them.

Could you post the raw HTML source of the "suspicious security" character string and a bit of the tags around it? The Forum editor's "{;} Insert/edit code sample" tool bar item may be helpful in pasting that.

Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.

MIME-Version: 1.0
Subject:[notice]

<h1><span style="font-size:36px">Comcast </span></h1>

<p><span style="font-size:26px"><strong><span style="color:#e74c3c">(26) </span>suspicious security threats are detected on </strong></span><span style="font-size:26px"><strong>your device.</strong></span><br />
<strong>We have detected that your device is at risk of being hacked or infected with malware. Immediate action is required to avoid data leakage, network spoofing, phishing attacks, spyware and improper session handling.</strong></p>

<p> </p>

Here is the complete body of the email. Maybe something past the string is causing the issue.  I did check and the IP address 216.5.173.20 given in the body is no where close to mine.

MIME-Version: 1.0
Subject:[notice]

<h1><span style="font-size:36px">Comcast </span></h1>

<p><span style="font-size:26px"><strong><span style="color:#e74c3c">(26) </span>suspicious security threats are detected on </strong></span><span style="font-size:26px"><strong>your device.</strong></span><br />
<strong>We have detected that your device is at risk of being hacked or infected with malware. Immediate action is required to avoid data leakage, network spoofing, phishing attacks, spyware and improper session handling.</strong></p>

<p> </p>

<p><strong>Your IP: 216.5.173.20</strong></p>

<p><strong>Internet service provider: Comcast</strong></p>

<p><strong>Risk score: <span style="color:#e74c3c">HIGH</span></strong></p>

<p><strong><span style="color:#e74c3c">02 : 24 : 36</span></strong></p>

<p><strong>How to fix it </strong></p>

<p>Step 1: Tap the button below and subscribe the the Ultra Antivirus mobile protection service by paying $1.69 on the next check-out page.</p>

<p>Step 2: Activate the protection service to remove all the security threats, and keep your activities secure and private.</p>

<p> </p>

                               <td height="23" style="" class="em_h20"> </td>
                                        </tr>
                                        <tr>
                                          <td align="center" valign="top">
                                            <table width="290" border="0" cellspacing="0" cellpadding="0" bgcolor="#FF1C1C" style="border-radius: 20px; " align="center" class="em_wrapper">
                                              <tbody>
                                                <tr>
                                                  <td align="center" valign="middle" height="40" style="font-size:20px; color:#ffffff; font-family:'Poppins', Arial, sans-serif; font-weight: 600;">
                                                    <a x-cq-linkchecker="skip" rel="noopener noreferrer" href="https://link.mail.beehiiv.com/ss/c/hinvcS3xmC95wU2e0w8RGix40nDRqndzE90G8Bt2LKPOI2ea7DcGT1KXgcxjMhCnFX2ysN6Bb__SOlPDuRVjw8smf69RiYXgzvpEeAap4z5lg_bSDy9vNZwC8EDfMjwyfYSb-OkIkizAQvPXCEaAng/3w0/oE7NfGNvQ-iCs7eSYeY92Q/h8/phXMVgGwUYg_zQ84Dk-qB5pUNZsfM8WkM3WlK_D8Ifs#?act=cl&pid=288307_smd&uid=833&vid=553816&ofid=6767&lid=59788&cid=3821193" target="_blank" style="text-decoration:none; color:#ffffff; line- ;" >Fix Now</a>
                                                  </td>
                                                </tr>
                                              </tbody>
                                            </table>
                                          </td>
                                        </tr>
                                        <tr>
                                          <td height="39" style="" class="em_h20"> </td>
<center>
         <br>
         <font size="2" color="#818181"> You may unsubscribe at any time. <a href="https://link.mail.beehiiv.com/ss/c/hinvcS3xmC95wU2e0w8RGix40nDRqndzE90G8Bt2LKPOI2ea7DcGT1KXgcxjMhCnFX2ysN6Bb__SOlPDuRVjw8smf69RiYXgzvpEeAap4z5lg_bSDy9vNZwC8EDfMjwyfYSb-OkIkizAQvPXCEaAng/3w0/oE7NfGNvQ-iCs7eSYeY92Q/h8/phXMVgGwUYg_zQ84Dk-qB5pUNZsfM8WkM3WlK_D8Ifs#?act=un&pid=288307_smd&uid=833&vid=553816&ofid=6767&lid=59788&cid=3821193">Unsubscribe</a>.<br>
         </font>
        </center>
    
  
  <span style="color:#888;font-size:11px;font-family:verdana;;text-align:center;margin->click <a href="https://link.mail.beehiiv.com/ss/c/hinvcS3xmC95wU2e0w8RGix40nDRqndzE90G8Bt2LKPOI2ea7DcGT1KXgcxjMhCnFX2ysN6Bb__SOlPDuRVjw8smf69RiYXgzvpEeAap4z5lg_bSDy9vNZwC8EDfMjwyfYSb-OkIkizAQvPXCEaAng/3w0/oE7NfGNvQ-iCs7eSYeY92Q/h8/phXMVgGwUYg_zQ84Dk-qB5pUNZsfM8WkM3WlK_D8Ifs#?act=oop&pid=288307_smd&uid=833&vid=553816&ofid=6767&lid=59788&cid=3821193">here</a> to remove yourself from our emails list</span>

A simple "Content    Contains    suspicious security" filter catches that one too.

I wouldn't use "reject with reason" for mail from a suspected spammer, because it lets the spammer know that your email address is active. And spammers don't much care if their mail is rejected. They just add 1 to the million or so that they were planning to send next anyway.

When you say "I have tried the following filter rule but it is not working", what does "not working" mean exactly? What happens? What fails to happen? What do you want to happen?

Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.

By not working what I am saying the email is not getting rejected and still shows up in my Inbox.  I also tried having it moved to the SPAM folder and that does not happen either.

I am using reject to get the spammers to burn through their hacked email servers.  When I reject based on information in the header the spammers end up switching to a different server the next day.  When I do not reject they continue to send from the same hacked email server.  This approach has worked for me in the past with a different spam campaign. 

The spammers with the current campaign have tried to reuse the same hacked email server by blanking out the Return-Path header entry.  To combat that trick I now filter on the Return-Path, X-Relying-Domain, Received, and Reply-To entries in the header.

OK then, it sounds like you know what you are doing and understand the risk. I don't know why the filters are failing for you. When I send your sample HTML to myself I get an email from postmaster(at)comcast.net stating "Your message to <me(at)comcast.net> was automatically rejected: SCAM". Not to be insulting, but is the filter Enabled? Maybe the rule Name is too long, or the Rule engine doesn't like the quotes in the name? Could a higher priority rule be grabbing the message? Just grasping at straws here . . .

(Of course, the (at) strings are actually @ symbols, but the Forum doesn't allow posting of email addresses, not even obviously fake ones, nor very public ones like "postmaster" and "abuse" addresses).

Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.

Yes, the filter rule is enabled.  No offense taken.  It was a legitimate question.

I have gone through and unchecked the "Process subsequent rules" check box on all of my filters in case a previous or subsequent rule is causing the issue.  It has not been an issue in the past but Comcast may have changed the behavior.  Since the current scammers take the weekend off I probably will not know until Monday if unchecking "Process subsequent rules" fixes the problem.

Just an update:

As expected there were no scam emails over the weekend.  I got the usual 3 emails from them on Monday for which I added the hacked email servers to my reject list.  For the past 4 days I have not gotten a scam email from them.  I disabled my filters Thursday to see if I would get any scam emails on Friday and did not get any.

Either the scammers gave up or burned through all of their hacked email servers or Comcast xFinity finally added a filter to the system so individual customers, like me, do not have add their own filters.  I was up to 89 filters for the current scam.

... For the past 4 days I have not gotten a scam email from them ...

Are you sure? When I test using a filter with only the Reject action I never see the incoming message. Apparently Reject tells the servers not to accept the message at all, not to Spam, not to Trash, not even to Recovery. If I want to see the Rejected message in webmail I have to add a Keep action to the filter. (I also added a 'Flag mail with' action to add a distinctive color flag to the message so I could tell that it had been processed by the filter).

Perhaps I lack imagination. Do you have a way of tracking whether the filter Rejected an incoming message?

Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.

I am sure.  On Monday I verified my filters were working by sending myself from 3 different email servers the same scam content and they were getting rejected.  I changed the filters to move the scam emails to folders and verified the updated filters did move the emails I resent to myself.  No scam emails from other people were received or moved Tuesday, Wednesday, and Thursday.  Thursday I disabled my filters and still did not receive any scam emails on Friday.

I know in my testing of my filters that I sent them from US based email servers.  The scam emails that had been getting through the filters were coming from outside the US and had country codes such as .mx, .my, .bo, .za, and .tc.  I am wondering if Comcast / xFinity was ignoring filters if the emails were coming from outside of the US.

... I verified my filters were working ... changed the filters to move the scam emails to folders ...

I knew I was overlooking something! Although I've done testing that way myself and often recommend that method to others for new filters or for old ones with significant changes, I utterly forgot about it here. But it's a pity Reject filters don't have something like counters for "rejected today/yesterday/this week/last week" or something like that, so we'd have some way of seeing how busy the filters have been without needing to see the junk they rejected.

... I am wondering if Comcast / xFinity was ignoring filters if the emails were coming from outside of the US.

I've never seen evidence of that. My guess is that if a message passes Comcast's system filters and they send it along to the Inbox, it would be processed by the filters. Although the key word in that sentence is "guess", I don't know this for sure.

Please keep us updated on your work with filters and spam suppression. Comcast's underwhelming documentation of the topic makes sharing experience other users especially valuable.