Solved

Need help with antivirus.exim filtering rule. How can I filter out chinese urls?

Posted on 2009-07-04
7
804 Views
Last Modified: 2013-11-22
I would like to set up an antivirus.exim rule to simply look at the body copy and filter the email if it contains a china based URL, i.e. a url with .cn/

I have tried several versions of the following, but it still does not work:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

also

$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Okay, so here is an example of the complete script in /etc/antivirus.exim
---------------------
# Exim filter
if error_message then finish endif
if
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
save "/dev/null" 660
endif
---------------------

But after restarting exim, I just try to send a simple message with a URL like the following in the body copy, and the email is allowed to pass on through.

http://www.spamalot.cn

Any help would be greatly appreciated.
0
Comment
Question by:joetac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24783043
$message_body contains ".cn/"
0
 

Author Comment

by:joetac
ID: 24783330
Thanks NerdsOfTech, we considered this one, but I don't want it to be that simple. For one thing it would miss all the URLs that do not contain trailing slash. Then if we just used $message_body contains ".cn" it would inadvertantly block all the email messages that happened to contain those characters unassociated with any URL, e.g. "go to my .cnet address", etc.
0
 
LVL 19

Accepted Solution

by:
NerdsOfTech earned 500 total points
ID: 24791138
make \. optional suffix to TLD?
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

Open in new window

0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24791146
before it would match:
   www.somesite.MatchIfThisIsHere.cn
but not
   www.virus.cn
because ./ was implied as being in front of an additional prefix to TLD (suh as with .co.uk; where .co is the prefix to TLD)


The new should match (hopefully):
www.virus.cn
0
 

Author Comment

by:joetac
ID: 24791434
thanks but it still does not work, currently trying:
$message_body: contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

I know the basic exim filtering works because other rules such as the following work fine:
$message_body: contains "phentermine"

By the way, I have also tried:
$message_body: contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24792266
try:

"http\:\/\/([0-9a-z]\.)?[^/\s]+\.cn\W"
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24792280
oops

try this instead:

"http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]?\.?+cn\W"
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question