How would I set up a antispam.exim filter to...
How would I set up a antispam.exim filter to out any email with a Chinese (.cn) URL in the body copy?
I have tried many variations on the following, but nothing seems to work:
$message_body contains "http://[0-9a-z].[0-9a-z].cn"
Thanks for anything. I have been working at this for a few days now.
Wouldn't it have to look something like this:
if $message_body matches "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
fail text "The email contained a link to .cn"
seen finish
endif
Last edited by jerrybell; 08-14-2007 at 06:31 PM.
Awk! Thanks, but it still does not work, just tested this.
Here's the filter:
or $message_body contains "http://[0-9a-z]?\.[0-9a-z]+\.cn"
Here's the spam that was not blocked, i.e. it contains:
Hello,
teein in 3some gagging on dlK nuide dare
http://xfov.blahblahblah.cn/?w=sangwerzporinchpewtbier
And yes, I do have the other text lines in the antispam.exim filter file so that other conditions work, such as or $message_body contains "extreme seex"
Short sample:
# Exim filter
if error_message then finish endif
if
$message_headers contains "tpnet.pl"
or $message_headers contains "t-dialin.net"
etc etc etc............
then
save "/dev/null" 660
endif
-------------
Any other ideas I could try to kill all email with a .cn address in it? I don't just want to go with:
or $message_body contains ".cn"
... for fear of deleting legitimate email that may have a .cn in it somewhere, ourside of a URL.
Last edited by Infopro; 08-14-2007 at 08:41 PM.
I had made an error when I first posted it. It looks like you got it before my update. Try what's there now.
Dang! Nop, still does not work. Currently:
or $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
Never used antispam.exim before, but sure looks like a regex statement, no?Originally Posted by jols
Though I don't understand the question marks there...Code:$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
Says:
match anything with
http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn
Or am I misreading?
Darren Benfer | SS-Darren | AIM: serversphere
www.serversphere.com
Dedicated Server Solutions Have Come Full Circle
You're basically there. The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".". The period has to be escaped with a "\", since it has special meaning in regexes. The "*" means any number of instances, including zero of the preceding set.
By the way, I tried this and it does actually work. I would just make sure that you're putting it in the right filter file.
Thanks, somewhere along the line I must have added the "matches many" to the question mark. And it explains alot about why some of my regex statements in my custom spamassassin rules don't work at all times!
Appreciate you setting me straight on it. So essentially commenting out the colon and slashes immediately after the http made the difference? Cool.
Darren Benfer | SS-Darren | AIM: serversphere
www.serversphere.com
Dedicated Server Solutions Have Come Full Circle
I think this:
http\:\/\/ is an error - possibly something the forum software injected.
It should look like this in the regex statement:
http://
without escaping the colon or the slashes.
Still no luck.
I am using this in:
/etc/antivirus.exim
And I am sure that exim is including the above.
Okay, so here is the complete script in antivirus.exim
---------------------
# Exim filter
if error_message then finish endif
if
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
save "/dev/null" 660
endif
---------------------
Then I am sending through email with a very simple .cn url in the body copy, e.g. something like www.tugga.cn (after the http prefix). And ot goes right on though.
The variations I have tried are as follows:
$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
Still no luck.
Anyone else?
Last edited by jols; 07-04-2009 at 06:49 PM.
I've tried this, which seems to do the trick
I escape more than likely necessary, force of habit.Code:http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W
your results may vary. it's very narrowly targeted, with a mind of keeping false positives low.
May also be worth looking at leveraging SURBL/URIBL and letting it do the grunt work here.
Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?
Last edited by Kent Brockman; 07-06-2009 at 10:43 AM.
Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?
seems to match all three of those
mind you, it's off the cuff, so it may not be perfect
Break it down though:
//the usual stuffCode:http\:\/\/
// snags www. or ww2. or ww3. (hmm, methinks i should add another dubya)Code:(ww[0-9w]\.)?
//anything but a forward slash, or whitespace, one or more timesCode:[^/\s]+
//.cn followed by non-word charCode:\.cn\W
The key part relevant to your query is the [^/\s]+
doesnt matter what garbage characters you throw at it. unless it's whitespace, or a forward slash, it is assumed to be part of the domain
of course that includes far more characters than are valid in domains, but we're merely concerned with snagging the .cn in a URL - resolution is unimportant for once!
actually, my (ww[0-9]w\.)? is redundant and pointless
should sufficeCode:http\:\/\/[^/\s]+\.cn\W
I don't know why I included it in the first place
Yep, and you also could erase the http part so you can trap plain text messages with domain names tricked like this:
Hey, visit nudeogregirls.cn and see our weirdo crap.
It may work if you reduce it at:
What do you think?Code:[^/\s]+\.cn\W
LinkBack URL
About LinkBacks
Reply With Quote