How would I set up a antispam.exim filter to...

Wouldn't it have to look something like this:

if $message_body matches "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
fail text "The email contained a link to .cn"
seen finish
endif

 

I had made an error when I first posted it. It looks like you got it before my update. Try what's there now.

 

Never used antispam.exim before, but sure looks like a regex statement, no?

Code:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Though I don't understand the question marks there...

Says:

match anything with

http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn

Or am I misreading?

 

You're basically there. The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".". The period has to be escaped with a "\", since it has special meaning in regexes. The "*" means any number of instances, including zero of the preceding set.

By the way, I tried this and it does actually work. I would just make sure that you're putting it in the right filter file.

 

Thanks, somewhere along the line I must have added the "matches many" to the question mark. And it explains alot about why some of my regex statements in my custom spamassassin rules don't work at all times! :D

Appreciate you setting me straight on it. So essentially commenting out the colon and slashes immediately after the http made the difference? Cool.

 

I think this:
http\:\/\/ is an error - possibly something the forum software injected.

It should look like this in the regex statement:
http://

without escaping the colon or the slashes.

 

I've tried this, which seems to do the trick

Code:

http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W

I escape more than likely necessary, force of habit.

your results may vary. it's very narrowly targeted, with a mind of keeping false positives low.

May also be worth looking at leveraging SURBL/URIBL and letting it do the grunt work here.

 

Hi, that regex will fire only if the URL is something like http://www.anycrapwithlettersonly.cn what about scenarios where it may bring things such as http://www.84575643523243.cn or http://kfguhgigttgi.cn or http://328584751211.cn, or am I still asleep?

 

seems to match all three of those

mind you, it's off the cuff, so it may not be perfect

Break it down though:

Code:

http\:\/\/

//the usual stuff

Code:

(ww[0-9w]\.)?

// snags www. or ww2. or ww3. (hmm, methinks i should add another dubya)

Code:

[^/\s]+

//anything but a forward slash, or whitespace, one or more times

Code:

\.cn\W

//.cn followed by non-word char


The key part relevant to your query is the [^/\s]+

doesnt matter what garbage characters you throw at it. unless it's whitespace, or a forward slash, it is assumed to be part of the domain

of course that includes far more characters than are valid in domains, but we're merely concerned with snagging the .cn in a URL - resolution is unimportant for once!

 

actually, my (ww[0-9]w\.)? is redundant and pointless

Code:

http\:\/\/[^/\s]+\.cn\W

should suffice
I don't know why I included it in the first place

 

Yep, and you also could erase the http part so you can trap plain text messages with domain names tricked like this:

Hey, visit nudeogregirls.cn and see our weirdo crap.

It may work if you reduce it at:

Code:

[^/\s]+\.cn\W

What do you think?

 

no idea, really you'd have to test it out and see if the false positives were at an acceptable level

it would no doubt snag this variety - though I'd be keen to wrap it in something like \b or \s on the begginning, with the \W still at the end

my aim is mainly limiting false positives

if you take out the http, it would match:

Code:

http://legitimatedomain.com/out.php?referer=nudeogregirls.cn

up to the individual user/admin to decide if they want to include that in the check

 

hrmmm

.cn in terms of regex would match

blah.cn
blahocn
blah@cnblah.ws

but .cn as a literal string would match only ".cn" found anywhere in the msg

Out of sheer curiosity, just as a test, try backslash escaping the period, e.g.

Code:

\.cn

Again, merely a test, I wouldnt expect you'd use this long-term. I'd be curious to see if it's simply regex non-functional on the whole.

If regex is functional, the above would match blah.cn
If regex is non-functional, the above would NOT match blah.cn, and would only match the literal string blah\.cn

If indeed regex is non-functional, you wouldn't have yet noticed it, as none of your previous entries are regex, e.g.

mailmarshal@bradygroup.com.au

in regex would match that, but also mailmarshal@bradygroupHcomIau, as one example