Solved

Need help with antivirus.exim filtering rule. How can I filter out chinese urls?

Posted on 2009-07-04
7
791 Views
Last Modified: 2013-11-22
I would like to set up an antivirus.exim rule to simply look at the body copy and filter the email if it contains a china based URL, i.e. a url with .cn/

I have tried several versions of the following, but it still does not work:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

also

$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Okay, so here is an example of the complete script in /etc/antivirus.exim
---------------------
# Exim filter
if error_message then finish endif
if
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
save "/dev/null" 660
endif
---------------------

But after restarting exim, I just try to send a simple message with a URL like the following in the body copy, and the email is allowed to pass on through.

http://www.spamalot.cn

Any help would be greatly appreciated.
0
Comment
Question by:joetac
  • 5
  • 2
7 Comments
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24783043
$message_body contains ".cn/"
0
 

Author Comment

by:joetac
ID: 24783330
Thanks NerdsOfTech, we considered this one, but I don't want it to be that simple. For one thing it would miss all the URLs that do not contain trailing slash. Then if we just used $message_body contains ".cn" it would inadvertantly block all the email messages that happened to contain those characters unassociated with any URL, e.g. "go to my .cnet address", etc.
0
 
LVL 19

Accepted Solution

by:
NerdsOfTech earned 500 total points
ID: 24791138
make \. optional suffix to TLD?
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

Open in new window

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24791146
before it would match:
   www.somesite.MatchIfThisIsHere.cn
but not
   www.virus.cn
because ./ was implied as being in front of an additional prefix to TLD (suh as with .co.uk; where .co is the prefix to TLD)


The new should match (hopefully):
www.virus.cn
0
 

Author Comment

by:joetac
ID: 24791434
thanks but it still does not work, currently trying:
$message_body: contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

I know the basic exim filtering works because other rules such as the following work fine:
$message_body: contains "phentermine"

By the way, I have also tried:
$message_body: contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24792266
try:

"http\:\/\/([0-9a-z]\.)?[^/\s]+\.cn\W"
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24792280
oops

try this instead:

"http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]?\.?+cn\W"
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Guacamole cut and paste issue 3 47
Kali Linux store / persist wireless password 3 48
linux installs 6 49
mcrypt_create_iv() is deprecated 4 74
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now