Go Back   cPanel Forums > cPanel® and WHM® (for Linux® and FreeBSD® Servers) > Mail

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 08-14-2007, 06:25 PM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Post How would I set up a antispam.exim filter to...

How would I set up a antispam.exim filter to out any email with a Chinese (.cn) URL in the body copy?

I have tried many variations on the following, but nothing seems to work:

$message_body contains "http://[0-9a-z].[0-9a-z].cn"


Thanks for anything. I have been working at this for a few days now.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 08-14-2007, 06:41 PM
Registered User
 
Join Date: Nov 2006
Posts: 59
jerrybell is on a distinguished road
Wouldn't it have to look something like this:

if $message_body matches "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
fail text "The email contained a link to .cn"
seen finish
endif

Last edited by jerrybell; 08-14-2007 at 07:31 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 08-14-2007, 08:01 PM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Awk! Thanks, but it still does not work, just tested this.

Here's the filter:

or $message_body contains "http://[0-9a-z]?\.[0-9a-z]+\.cn"


Here's the spam that was not blocked, i.e. it contains:

Hello,
teein in 3some gagging on dlK nuide dare
http://xfov.blahblahblah.cn/?w=sangwerzporinchpewtbier


And yes, I do have the other text lines in the antispam.exim filter file so that other conditions work, such as or $message_body contains "extreme seex"

Short sample:

# Exim filter
if error_message then finish endif
if
$message_headers contains "tpnet.pl"
or $message_headers contains "t-dialin.net"


etc etc etc............

then
save "/dev/null" 660
endif


-------------


Any other ideas I could try to kill all email with a .cn address in it? I don't just want to go with:

or $message_body contains ".cn"

... for fear of deleting legitimate email that may have a .cn in it somewhere, ourside of a URL.

Last edited by Infopro; 08-14-2007 at 09:41 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 08-14-2007, 08:19 PM
Registered User
 
Join Date: Nov 2006
Posts: 59
jerrybell is on a distinguished road
I had made an error when I first posted it. It looks like you got it before my update. Try what's there now.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 08-14-2007, 09:36 PM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Dang! Nop, still does not work. Currently:

or $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 08-14-2007, 11:08 PM
serversphere's Avatar
Registered User
 
Join Date: Jan 2004
Posts: 651
serversphere is on a distinguished road
Quote:
Originally Posted by jols View Post
Dang! Nop, still does not work. Currently:

or $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
Never used antispam.exim before, but sure looks like a regex statement, no?

Code:
$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
Though I don't understand the question marks there...

Says:

match anything with

http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn

Or am I misreading?
__________________
Darren Benfer | SS-Darren | AIM: serversphere
www.serversphere.com
Dedicated Server Solutions Have Come Full Circle
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 08-15-2007, 06:07 AM
Registered User
 
Join Date: Nov 2006
Posts: 59
jerrybell is on a distinguished road
Quote:
Originally Posted by serversphere View Post
Never used antispam.exim before, but sure looks like a regex statement, no?

Code:
$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
Though I don't understand the question marks there...

Says:

match anything with

http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn

Or am I misreading?

You're basically there. The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".". The period has to be escaped with a "\", since it has special meaning in regexes. The "*" means any number of instances, including zero of the preceding set.

By the way, I tried this and it does actually work. I would just make sure that you're putting it in the right filter file.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 08-15-2007, 07:28 AM
serversphere's Avatar
Registered User
 
Join Date: Jan 2004
Posts: 651
serversphere is on a distinguished road
Quote:
Originally Posted by jerrybell View Post
The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".".
Thanks, somewhere along the line I must have added the "matches many" to the question mark. And it explains alot about why some of my regex statements in my custom spamassassin rules don't work at all times!

Appreciate you setting me straight on it. So essentially commenting out the colon and slashes immediately after the http made the difference? Cool.
__________________
Darren Benfer | SS-Darren | AIM: serversphere
www.serversphere.com
Dedicated Server Solutions Have Come Full Circle
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 08-15-2007, 02:16 PM
Registered User
 
Join Date: Nov 2006
Posts: 59
jerrybell is on a distinguished road
I think this:
http\:\/\/ is an error - possibly something the forum software injected.

It should look like this in the regex statement:
http://

without escaping the colon or the slashes.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 07-04-2009, 07:37 PM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Still no luck.

I am using this in:
/etc/antivirus.exim

And I am sure that exim is including the above.

Okay, so here is the complete script in antivirus.exim
---------------------
# Exim filter
if error_message then finish endif
if
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
save "/dev/null" 660
endif
---------------------


Then I am sending through email with a very simple .cn url in the body copy, e.g. something like www.tugga.cn (after the http prefix). And ot goes right on though.

The variations I have tried are as follows:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Still no luck.

Anyone else?

Last edited by jols; 07-04-2009 at 07:49 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #11 (permalink)  
Old 07-06-2009, 10:24 AM
cpanelchrish's Avatar
Registered User
 
Join Date: Jun 2009
Posts: 24
cpanelchrish is on a distinguished road
I've tried this, which seems to do the trick

Code:
http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W
I escape more than likely necessary, force of habit.

your results may vary. it's very narrowly targeted, with a mind of keeping false positives low.

May also be worth looking at leveraging SURBL/URIBL and letting it do the grunt work here.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 07-06-2009, 11:39 AM
Registered User
 
Join Date: Jan 2008
Location: behind the sun
Posts: 409
Kent Brockman is on a distinguished road
Quote:
Originally Posted by cpanelchrish View Post
I've tried this, which seems to do the trick

Code:
http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W
Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?
__________________
Content is king. Functionality is a gift. Usability is God.

Last edited by Kent Brockman; 07-06-2009 at 11:43 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 07-06-2009, 12:21 PM
cpanelchrish's Avatar
Registered User
 
Join Date: Jun 2009
Posts: 24
cpanelchrish is on a distinguished road
Quote:
Originally Posted by Kent Brockman View Post
Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?

seems to match all three of those

mind you, it's off the cuff, so it may not be perfect

Break it down though:

Code:
http\:\/\/
//the usual stuff

Code:
(ww[0-9w]\.)?
// snags www. or ww2. or ww3. (hmm, methinks i should add another dubya)

Code:
[^/\s]+
//anything but a forward slash, or whitespace, one or more times

Code:
\.cn\W
//.cn followed by non-word char


The key part relevant to your query is the [^/\s]+

doesnt matter what garbage characters you throw at it. unless it's whitespace, or a forward slash, it is assumed to be part of the domain

of course that includes far more characters than are valid in domains, but we're merely concerned with snagging the .cn in a URL - resolution is unimportant for once!
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 07-06-2009, 12:32 PM
cpanelchrish's Avatar
Registered User
 
Join Date: Jun 2009
Posts: 24
cpanelchrish is on a distinguished road
actually, my (ww[0-9]w\.)? is redundant and pointless

Code:
http\:\/\/[^/\s]+\.cn\W
should suffice
I don't know why I included it in the first place
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #15 (permalink)  
Old 07-06-2009, 12:48 PM
Registered User
 
Join Date: Jan 2008
Location: behind the sun
Posts: 409
Kent Brockman is on a distinguished road
Yep, and you also could erase the http part so you can trap plain text messages with domain names tricked like this:

Hey, visit nudeogregirls.cn and see our weirdo crap.

It may work if you reduce it at:

Code:
[^/\s]+\.cn\W
What do you think?
__________________
Content is king. Functionality is a gift. Usability is God.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 05:30 AM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc