The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How would I set up a antispam.exim filter to...

Discussion in 'E-mail Discussions' started by jols, Aug 14, 2007.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    How would I set up a antispam.exim filter to out any email with a Chinese (.cn) URL in the body copy?

    I have tried many variations on the following, but nothing seems to work:

    $message_body contains "http://[0-9a-z].[0-9a-z].cn"


    Thanks for anything. I have been working at this for a few days now.
     
  2. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Wouldn't it have to look something like this:

    if $message_body matches "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    then
    fail text "The email contained a link to .cn"
    seen finish
    endif
     
    #2 jerrybell, Aug 14, 2007
    Last edited: Aug 14, 2007
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Awk! Thanks, but it still does not work, just tested this.

    Here's the filter:

    or $message_body contains "http://[0-9a-z]?\.[0-9a-z]+\.cn"


    Here's the spam that was not blocked, i.e. it contains:

    Hello,
    teein in 3some gagging on dlK nuide dare
    http://xfov.blahblahblah.cn/?w=sangwerzporinchpewtbier


    And yes, I do have the other text lines in the antispam.exim filter file so that other conditions work, such as or $message_body contains "extreme seex"

    Short sample:

    # Exim filter
    if error_message then finish endif
    if
    $message_headers contains "tpnet.pl"
    or $message_headers contains "t-dialin.net"


    etc etc etc............

    then
    save "/dev/null" 660
    endif


    -------------


    Any other ideas I could try to kill all email with a .cn address in it? I don't just want to go with:

    or $message_body contains ".cn"

    ... for fear of deleting legitimate email that may have a .cn in it somewhere, ourside of a URL.
     
    #3 jols, Aug 14, 2007
    Last edited by a moderator: Aug 14, 2007
  4. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I had made an error when I first posted it. It looks like you got it before my update. Try what's there now.
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Dang! Nop, still does not work. Currently:

    or $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Never used antispam.exim before, but sure looks like a regex statement, no?

    Code:
    $message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    
    Though I don't understand the question marks there...

    Says:

    match anything with

    http:// + any number or letter combo + a period (? = one, many or not at all) {repeats x 2} + .cn

    Or am I misreading?
     
  7. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6

    You're basically there. The question mark means 0 or 1 instance of the pattern, so it's saying 0 or 1 periods ".". The period has to be escaped with a "\", since it has special meaning in regexes. The "*" means any number of instances, including zero of the preceding set.

    By the way, I tried this and it does actually work. I would just make sure that you're putting it in the right filter file.
     
  8. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Thanks, somewhere along the line I must have added the "matches many" to the question mark. And it explains alot about why some of my regex statements in my custom spamassassin rules don't work at all times! :D

    Appreciate you setting me straight on it. So essentially commenting out the colon and slashes immediately after the http made the difference? Cool.
     
  9. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I think this:
    http\:\/\/ is an error - possibly something the forum software injected.

    It should look like this in the regex statement:
    http://

    without escaping the colon or the slashes.
     
  10. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Still no luck.

    I am using this in:
    /etc/antivirus.exim

    And I am sure that exim is including the above.

    Okay, so here is the complete script in antivirus.exim
    ---------------------
    # Exim filter
    if error_message then finish endif
    if
    $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    then
    save "/dev/null" 660
    endif
    ---------------------


    Then I am sending through email with a very simple .cn url in the body copy, e.g. something like www.tugga.cn (after the http prefix). And ot goes right on though.

    The variations I have tried are as follows:

    $message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
    $message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

    Still no luck.

    Anyone else?
     
    #10 jols, Jul 4, 2009
    Last edited: Jul 4, 2009
  11. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I've tried this, which seems to do the trick

    Code:
    http\:\/\/(ww[0-9w]\.)?[^/\s]+\.cn\W
    
    I escape more than likely necessary, force of habit.

    your results may vary. it's very narrowly targeted, with a mind of keeping false positives low.

    May also be worth looking at leveraging SURBL/URIBL and letting it do the grunt work here.
     
  12. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    #12 Kent Brockman, Jul 6, 2009
    Last edited: Jul 6, 2009
  13. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1

    seems to match all three of those :)

    mind you, it's off the cuff, so it may not be perfect

    Break it down though:

    Code:
    http\:\/\/
    //the usual stuff

    Code:
    (ww[0-9w]\.)?
    // snags www. or ww2. or ww3. (hmm, methinks i should add another dubya)

    Code:
    [^/\s]+
    //anything but a forward slash, or whitespace, one or more times

    Code:
    \.cn\W
    //.cn followed by non-word char


    The key part relevant to your query is the [^/\s]+

    doesnt matter what garbage characters you throw at it. unless it's whitespace, or a forward slash, it is assumed to be part of the domain

    of course that includes far more characters than are valid in domains, but we're merely concerned with snagging the .cn in a URL - resolution is unimportant for once!
     
  14. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    actually, my (ww[0-9]w\.)? is redundant and pointless

    Code:
    http\:\/\/[^/\s]+\.cn\W
    
    should suffice
    I don't know why I included it in the first place
     
  15. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep, and you also could erase the http part so you can trap plain text messages with domain names tricked like this:

    Hey, visit nudeogregirls.cn and see our weirdo crap.

    It may work if you reduce it at:

    Code:
    [^/\s]+\.cn\W
    What do you think?
     
  16. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    no idea, really you'd have to test it out and see if the false positives were at an acceptable level

    it would no doubt snag this variety - though I'd be keen to wrap it in something like \b or \s on the begginning, with the \W still at the end

    my aim is mainly limiting false positives

    if you take out the http, it would match:

    Code:
    http://legitimatedomain.com/out.php?referer=nudeogregirls.cn
    up to the individual user/admin to decide if they want to include that in the check
     
  17. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Mind if I ask exactly how you tried that?

    Does not seem to work at all for me. Here's the complete antivirus.exim I am using, all other rules in this one work fine:

    # Exim filter
    # if error_message then finish endif
    if
    $message_headers contains "internetseer"
    or $header_reply-to contains "internetseer"
    or $message_headers contains "mailmarshal@bradygroup.com.au"
    or $message_headers contains "viagra"
    or $message_headers contains "tpnet.pl"
    or $message_headers contains "sssssssssssssss"
    or $message_body: contains "viagra"
    or $message_body: contains "phentermine"
    or $message_body: contains "http\:\/\/[^/\s]+\.cn\W"
    then
    save "/dev/null" 660
    endif
     
  18. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Indeed, this is the only rule that works for this, but it is of course way to general:

    or $message_body: contains ".cn"


    Perhaps the exim filter does not work with the syntax that you are using?
     
  19. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    hrmmm

    .cn in terms of regex would match

    blah.cn
    blahocn
    blah@cnblah.ws

    but .cn as a literal string would match only ".cn" found anywhere in the msg

    Out of sheer curiosity, just as a test, try backslash escaping the period, e.g.

    Code:
    \.cn
    Again, merely a test, I wouldnt expect you'd use this long-term. I'd be curious to see if it's simply regex non-functional on the whole.

    If regex is functional, the above would match blah.cn
    If regex is non-functional, the above would NOT match blah.cn, and would only match the literal string blah\.cn

    If indeed regex is non-functional, you wouldn't have yet noticed it, as none of your previous entries are regex, e.g.

    mailmarshal@bradygroup.com.au

    in regex would match that, but also mailmarshal@bradygroupHcomIau, as one example
     
Loading...

Share This Page