We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Need help with antivirus.exim filtering rule. How can I filter out chinese urls?

joetac
joetac asked
on
Medium Priority
861 Views
Last Modified: 2013-11-22
I would like to set up an antivirus.exim rule to simply look at the body copy and filter the email if it contains a china based URL, i.e. a url with .cn/

I have tried several versions of the following, but it still does not work:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

also

$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Okay, so here is an example of the complete script in /etc/antivirus.exim
---------------------
# Exim filter
if error_message then finish endif
if
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
save "/dev/null" 660
endif
---------------------

But after restarting exim, I just try to send a simple message with a URL like the following in the body copy, and the email is allowed to pass on through.

http://www.spamalot.cn

Any help would be greatly appreciated.
Comment
Watch Question

NerdsOfTechTechnology Scientist
CERTIFIED EXPERT

Commented:
$message_body contains ".cn/"

Author

Commented:
Thanks NerdsOfTech, we considered this one, but I don't want it to be that simple. For one thing it would miss all the URLs that do not contain trailing slash. Then if we just used $message_body contains ".cn" it would inadvertantly block all the email messages that happened to contain those characters unassociated with any URL, e.g. "go to my .cnet address", etc.
Technology Scientist
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
NerdsOfTechTechnology Scientist
CERTIFIED EXPERT

Commented:
before it would match:
   www.somesite.MatchIfThisIsHere.cn
but not
   www.virus.cn
because ./ was implied as being in front of an additional prefix to TLD (suh as with .co.uk; where .co is the prefix to TLD)


The new should match (hopefully):
www.virus.cn

Author

Commented:
thanks but it still does not work, currently trying:
$message_body: contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

I know the basic exim filtering works because other rules such as the following work fine:
$message_body: contains "phentermine"

By the way, I have also tried:
$message_body: contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"
NerdsOfTechTechnology Scientist
CERTIFIED EXPERT

Commented:
try:

"http\:\/\/([0-9a-z]\.)?[^/\s]+\.cn\W"
NerdsOfTechTechnology Scientist
CERTIFIED EXPERT

Commented:
oops

try this instead:

"http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]?\.?+cn\W"
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.