Need help with antivirus.exim filtering rule. How can I filter out chinese urls?

I would like to set up an antivirus.exim rule to simply look at the body copy and filter the email if it contains a china based URL, i.e. a url with .cn/

I have tried several versions of the following, but it still does not work:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

also

$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Okay, so here is an example of the complete script in /etc/antivirus.exim
---------------------
# Exim filter
if error_message then finish endif
if
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
save "/dev/null" 660
endif
---------------------

But after restarting exim, I just try to send a simple message with a URL like the following in the body copy, and the email is allowed to pass on through.

http://www.spamalot.cn

Any help would be greatly appreciated.
joetacAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NerdsOfTechTechnology ScientistCommented:
$message_body contains ".cn/"
0
joetacAuthor Commented:
Thanks NerdsOfTech, we considered this one, but I don't want it to be that simple. For one thing it would miss all the URLs that do not contain trailing slash. Then if we just used $message_body contains ".cn" it would inadvertantly block all the email messages that happened to contain those characters unassociated with any URL, e.g. "go to my .cnet address", etc.
0
NerdsOfTechTechnology ScientistCommented:
make \. optional suffix to TLD?
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

NerdsOfTechTechnology ScientistCommented:
before it would match:
   www.somesite.MatchIfThisIsHere.cn
but not
   www.virus.cn
because ./ was implied as being in front of an additional prefix to TLD (suh as with .co.uk; where .co is the prefix to TLD)


The new should match (hopefully):
www.virus.cn
0
joetacAuthor Commented:
thanks but it still does not work, currently trying:
$message_body: contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

I know the basic exim filtering works because other rules such as the following work fine:
$message_body: contains "phentermine"

By the way, I have also tried:
$message_body: contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"
0
NerdsOfTechTechnology ScientistCommented:
try:

"http\:\/\/([0-9a-z]\.)?[^/\s]+\.cn\W"
0
NerdsOfTechTechnology ScientistCommented:
oops

try this instead:

"http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]?\.?+cn\W"
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.