How would I set up a antispam.exim filter to...

[jols]

How would I set up a antispam.exim filter to out any email with a Chinese (.cn) URL in the body copy?

I have tried many variations on the following, but nothing seems to work:

$message_body contains "http://[0-9a-z].[0-9a-z].cn"


Thanks for anything. I have been working at this for a few days now.

[jerrybell]

Wouldn't it have to look something like this:

if $message_body matches "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
fail text "The email contained a link to .cn"
seen finish
endif

[jols]

Awk! Thanks, but it still does not work, just tested this.

Here's the filter:

or $message_body contains "http://[0-9a-z]?\.[0-9a-z]+\.cn"


Here's the spam that was not blocked, i.e. it contains:

Hello,
teein in 3some gagging on dlK nuide dare
http://xfov.blahblahblah.cn/?w=sangwerzporinchpewtbier


And yes, I do have the other text lines in the antispam.exim filter file so that other conditions work, such as or $message_body contains "extreme seex"

Short sample:

# Exim filter
if error_message then finish endif
if
$message_headers contains "tpnet.pl"
or $message_headers contains "t-dialin.net"


etc etc etc............

then
save "/dev/null" 660
endif


-------------


Any other ideas I could try to kill all email with a .cn address in it? I don't just want to go with:

or $message_body contains ".cn"

... for fear of deleting legitimate email that may have a .cn in it somewhere, ourside of a URL.

[jerrybell]

I had made an error when I first posted it. It looks like you got it before my update. Try what's there now.

[jols]

Dang! Nop, still does not work. Currently:

or $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

[serversphere]

Quote:

Originally Posted by jols

Dang! Nop, still does not work. Currently:

or $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Never used antispam.exim before, but sure looks like a regex statement, no?

Code:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Though I don't understand the question marks there...

Says:

match anything with

http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn

Or am I misreading?

[jerrybell]

Quote:

Originally Posted by serversphere

Never used antispam.exim before, but sure looks like a regex statement, no?

Code:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Though I don't understand the question marks there...

Says:

match anything with

http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn

Or am I misreading?

You're basically there. The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".". The period has to be escaped with a "\", since it has special meaning in regexes. The "*" means any number of instances, including zero of the preceding set.

By the way, I tried this and it does actually work. I would just make sure that you're putting it in the right filter file.

[serversphere]

Quote:

Originally Posted by jerrybell

The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".".

Thanks, somewhere along the line I must have added the "matches many" to the question mark. And it explains alot about why some of my regex statements in my custom spamassassin rules don't work at all times!

Appreciate you setting me straight on it. So essentially commenting out the colon and slashes immediately after the http made the difference? Cool.

[jerrybell]

I think this:
http\:\/\/ is an error - possibly something the forum software injected.

It should look like this in the regex statement:
http://

without escaping the colon or the slashes.

[jols]

Still no luck.

I am using this in:
/etc/antivirus.exim

And I am sure that exim is including the above.

Okay, so here is the complete script in antivirus.exim
---------------------
# Exim filter
if error_message then finish endif
if
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
save "/dev/null" 660
endif
---------------------


Then I am sending through email with a very simple .cn url in the body copy, e.g. something like www.tugga.cn (after the http prefix). And ot goes right on though.

The variations I have tried are as follows:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Still no luck.

Anyone else?

[cpanelchrish]

I've tried this, which seems to do the trick

Code:

http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W

I escape more than likely necessary, force of habit.

your results may vary. it's very narrowly targeted, with a mind of keeping false positives low.

May also be worth looking at leveraging SURBL/URIBL and letting it do the grunt work here.

[Kent Brockman]

Quote:

Originally Posted by cpanelchrish

I've tried this, which seems to do the trick

Code:

http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W

Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?

[cpanelchrish]

Quote:

Originally Posted by Kent Brockman

Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?

seems to match all three of those

mind you, it's off the cuff, so it may not be perfect

Break it down though:

Code:

http\:\/\/

//the usual stuff

Code:

(ww[0-9w]\.)?

// snags www. or ww2. or ww3. (hmm, methinks i should add another dubya)

Code:

[^/\s]+

//anything but a forward slash, or whitespace, one or more times

Code:

\.cn\W

//.cn followed by non-word char


The key part relevant to your query is the [^/\s]+

doesnt matter what garbage characters you throw at it. unless it's whitespace, or a forward slash, it is assumed to be part of the domain

of course that includes far more characters than are valid in domains, but we're merely concerned with snagging the .cn in a URL - resolution is unimportant for once!

[cpanelchrish]

actually, my (ww[0-9]w\.)? is redundant and pointless

Code:

http\:\/\/[^/\s]+\.cn\W

should suffice
I don't know why I included it in the first place

[Kent Brockman]

Yep, and you also could erase the http part so you can trap plain text messages with domain names tricked like this:

Hey, visit nudeogregirls.cn and see our weirdo crap.

It may work if you reduce it at:

Code:

[^/\s]+\.cn\W

What do you think?