How would I set up a antispam.exim filter to...

**cpanelchrish** · 07-06-2009 01:01 PM

no idea, really you'd have to test it out and see if the false positives were at an acceptable level

it would no doubt snag this variety - though I'd be keen to wrap it in something like \b or \s on the begginning, with the \W still at the end

my aim is mainly limiting false positives

if you take out the http, it would match:

Code:

http://legitimatedomain.com/out.php?referer=nudeogregirls.cn

up to the individual user/admin to decide if they want to include that in the check

**jols** · 07-07-2009 03:11 AM

Originally Posted by cpanelchrish

I've tried this, which seems to do the trick

Code:

http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W

I escape more than likely necessary, force of habit.

your results may vary. it's very narrowly targeted, with a mind of keeping false positives low.

May also be worth looking at leveraging SURBL/URIBL and letting it do the grunt work here.

Mind if I ask exactly how you tried that?

Does not seem to work at all for me. Here's the complete antivirus.exim I am using, all other rules in this one work fine:

# Exim filter
# if error_message then finish endif
if
$message_headers contains "internetseer"
or $header_reply-to contains "internetseer"
or $message_headers contains "mailmarshal@bradygroup.com.au"
or $message_headers contains "viagra"
or $message_headers contains "tpnet.pl"
or $message_headers contains "sssssssssssssss"
or $message_body: contains "viagra"
or $message_body: contains "phentermine"
or $message_body: contains "http\:\/\/[^/\s]+\.cn\W"
then
save "/dev/null" 660
endif

**jols** · 07-07-2009 03:18 AM

Indeed, this is the only rule that works for this, but it is of course way to general:

or $message_body: contains ".cn"

Perhaps the exim filter does not work with the syntax that you are using?

**cpanelchrish** · 07-07-2009 09:38 AM

hrmmm

.cn in terms of regex would match

blah.cn
blahocn
blah@cnblah.ws

but .cn as a literal string would match only ".cn" found anywhere in the msg

Out of sheer curiosity, just as a test, try backslash escaping the period, e.g.

Code:

\.cn

Again, merely a test, I wouldnt expect you'd use this long-term. I'd be curious to see if it's simply regex non-functional on the whole.

If regex is functional, the above would match blah.cn
If regex is non-functional, the above would NOT match blah.cn, and would only match the literal string blah\.cn

If indeed regex is non-functional, you wouldn't have yet noticed it, as none of your previous entries are regex, e.g.

mailmarshal@bradygroup.com.au

in regex would match that, but also mailmarshal@bradygroupHcomIau, as one example

LinkBack

Thread Tools

Configure exim to work witch Antispam gateway like messagelabs o postini

Where set conf for spamassassin /exim filter ?