Community Forums
Connect with us on LinkedIn
+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 19
  1. #1
    Member
    Join Date
    Mar 2004
    Posts
    859

    Post How would I set up a antispam.exim filter to...

    How would I set up a antispam.exim filter to out any email with a Chinese (.cn) URL in the body copy?

    I have tried many variations on the following, but nothing seems to work:

    $message_body contains "http://[0-9a-z].[0-9a-z].cn"


    Thanks for anything. I have been working at this for a few days now.

  2. #2
    Member
    Join Date
    Nov 2006
    Posts
    80

    Default

    Wouldn't it have to look something like this:

    if $message_body matches "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    then
    fail text "The email contained a link to .cn"
    seen finish
    endif
    Last edited by jerrybell; 08-14-2007 at 06:31 PM.

  3. #3
    Member
    Join Date
    Mar 2004
    Posts
    859

    Default

    Awk! Thanks, but it still does not work, just tested this.

    Here's the filter:

    or $message_body contains "http://[0-9a-z]?\.[0-9a-z]+\.cn"


    Here's the spam that was not blocked, i.e. it contains:

    Hello,
    teein in 3some gagging on dlK nuide dare
    http://xfov.blahblahblah.cn/?w=sangwerzporinchpewtbier


    And yes, I do have the other text lines in the antispam.exim filter file so that other conditions work, such as or $message_body contains "extreme seex"

    Short sample:

    # Exim filter
    if error_message then finish endif
    if
    $message_headers contains "tpnet.pl"
    or $message_headers contains "t-dialin.net"


    etc etc etc............

    then
    save "/dev/null" 660
    endif


    -------------


    Any other ideas I could try to kill all email with a .cn address in it? I don't just want to go with:

    or $message_body contains ".cn"

    ... for fear of deleting legitimate email that may have a .cn in it somewhere, ourside of a URL.
    Last edited by Infopro; 08-14-2007 at 08:41 PM.

  4. #4
    Member
    Join Date
    Nov 2006
    Posts
    80

    Default

    I had made an error when I first posted it. It looks like you got it before my update. Try what's there now.

  5. #5
    Member
    Join Date
    Mar 2004
    Posts
    859

    Default

    Dang! Nop, still does not work. Currently:

    or $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

  6. #6
    Member serversphere's Avatar
    Join Date
    Jan 2004
    Posts
    658

    Default

    Quote Originally Posted by jols View Post
    Dang! Nop, still does not work. Currently:

    or $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    Never used antispam.exim before, but sure looks like a regex statement, no?

    Code:
    $message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    Though I don't understand the question marks there...

    Says:

    match anything with

    http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn

    Or am I misreading?
    Darren Benfer | SS-Darren | AIM: serversphere
    www.serversphere.com
    Dedicated Server Solutions Have Come Full Circle

  7. #7
    Member
    Join Date
    Nov 2006
    Posts
    80

    Default

    Quote Originally Posted by serversphere View Post
    Never used antispam.exim before, but sure looks like a regex statement, no?

    Code:
    $message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    Though I don't understand the question marks there...

    Says:

    match anything with

    http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn

    Or am I misreading?

    You're basically there. The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".". The period has to be escaped with a "\", since it has special meaning in regexes. The "*" means any number of instances, including zero of the preceding set.

    By the way, I tried this and it does actually work. I would just make sure that you're putting it in the right filter file.

  8. #8
    Member serversphere's Avatar
    Join Date
    Jan 2004
    Posts
    658

    Default

    Quote Originally Posted by jerrybell View Post
    The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".".
    Thanks, somewhere along the line I must have added the "matches many" to the question mark. And it explains alot about why some of my regex statements in my custom spamassassin rules don't work at all times!

    Appreciate you setting me straight on it. So essentially commenting out the colon and slashes immediately after the http made the difference? Cool.
    Darren Benfer | SS-Darren | AIM: serversphere
    www.serversphere.com
    Dedicated Server Solutions Have Come Full Circle

  9. #9
    Member
    Join Date
    Nov 2006
    Posts
    80

    Default

    I think this:
    http\:\/\/ is an error - possibly something the forum software injected.

    It should look like this in the regex statement:
    http://

    without escaping the colon or the slashes.

  10. #10
    Member
    Join Date
    Mar 2004
    Posts
    859

    Default

    Still no luck.

    I am using this in:
    /etc/antivirus.exim

    And I am sure that exim is including the above.

    Okay, so here is the complete script in antivirus.exim
    ---------------------
    # Exim filter
    if error_message then finish endif
    if
    $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    then
    save "/dev/null" 660
    endif
    ---------------------


    Then I am sending through email with a very simple .cn url in the body copy, e.g. something like www.tugga.cn (after the http prefix). And ot goes right on though.

    The variations I have tried are as follows:

    $message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

    Still no luck.

    Anyone else?
    Last edited by jols; 07-04-2009 at 06:49 PM.

  11. #11
    Member cpanelchrish's Avatar
    Join Date
    Jun 2009
    Posts
    24

    Default

    I've tried this, which seems to do the trick

    Code:
    http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W
    I escape more than likely necessary, force of habit.

    your results may vary. it's very narrowly targeted, with a mind of keeping false positives low.

    May also be worth looking at leveraging SURBL/URIBL and letting it do the grunt work here.

  12. #12
    Member
    Join Date
    Jan 2008
    Location
    Buenos Aires, Argentina
    Posts
    942
    cPanel/Enkompass Access Level

    Root Administrator

    Default

    Quote Originally Posted by cpanelchrish View Post
    I've tried this, which seems to do the trick

    Code:
    http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W
    Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?
    Last edited by Kent Brockman; 07-06-2009 at 10:43 AM.

  13. #13
    Member cpanelchrish's Avatar
    Join Date
    Jun 2009
    Posts
    24

    Default

    Quote Originally Posted by Kent Brockman View Post
    Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?

    seems to match all three of those

    mind you, it's off the cuff, so it may not be perfect

    Break it down though:

    Code:
    http\:\/\/
    //the usual stuff

    Code:
    (ww[0-9w]\.)?
    // snags www. or ww2. or ww3. (hmm, methinks i should add another dubya)

    Code:
    [^/\s]+
    //anything but a forward slash, or whitespace, one or more times

    Code:
    \.cn\W
    //.cn followed by non-word char


    The key part relevant to your query is the [^/\s]+

    doesnt matter what garbage characters you throw at it. unless it's whitespace, or a forward slash, it is assumed to be part of the domain

    of course that includes far more characters than are valid in domains, but we're merely concerned with snagging the .cn in a URL - resolution is unimportant for once!

  14. #14
    Member cpanelchrish's Avatar
    Join Date
    Jun 2009
    Posts
    24

    Default

    actually, my (ww[0-9]w\.)? is redundant and pointless

    Code:
    http\:\/\/[^/\s]+\.cn\W
    should suffice
    I don't know why I included it in the first place

  15. #15
    Member
    Join Date
    Jan 2008
    Location
    Buenos Aires, Argentina
    Posts
    942
    cPanel/Enkompass Access Level

    Root Administrator

    Default

    Yep, and you also could erase the http part so you can trap plain text messages with domain names tricked like this:

    Hey, visit nudeogregirls.cn and see our weirdo crap.

    It may work if you reduce it at:

    Code:
    [^/\s]+\.cn\W
    What do you think?

Similar Threads & Tags
Similar threads

  1. Replies: 0
    Last Post: 06-20-2010, 09:16 AM
  2. Where set conf for spamassassin /exim filter ?
    By webstyler in forum cPanel and WHM Discussions
    Replies: 3
    Last Post: 04-18-2008, 03:04 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube