Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Need help with antivirus.exim filtering rule. How can I filter out chinese urls?

Posted on 2009-07-04
7
Medium Priority
?
813 Views
Last Modified: 2013-11-22
I would like to set up an antivirus.exim rule to simply look at the body copy and filter the email if it contains a china based URL, i.e. a url with .cn/

I have tried several versions of the following, but it still does not work:

$message_body contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

also

$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"

Okay, so here is an example of the complete script in /etc/antivirus.exim
---------------------
# Exim filter
if error_message then finish endif
if
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]+\.cn"
then
save "/dev/null" 660
endif
---------------------

But after restarting exim, I just try to send a simple message with a URL like the following in the body copy, and the email is allowed to pass on through.

http://www.spamalot.cn

Any help would be greatly appreciated.
0
Comment
Question by:joetac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24783043
$message_body contains ".cn/"
0
 

Author Comment

by:joetac
ID: 24783330
Thanks NerdsOfTech, we considered this one, but I don't want it to be that simple. For one thing it would miss all the URLs that do not contain trailing slash. Then if we just used $message_body contains ".cn" it would inadvertantly block all the email messages that happened to contain those characters unassociated with any URL, e.g. "go to my .cnet address", etc.
0
 
LVL 19

Accepted Solution

by:
NerdsOfTech earned 2000 total points
ID: 24791138
make \. optional suffix to TLD?
$message_body contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

Open in new window

0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24791146
before it would match:
   www.somesite.MatchIfThisIsHere.cn
but not
   www.virus.cn
because ./ was implied as being in front of an additional prefix to TLD (suh as with .co.uk; where .co is the prefix to TLD)


The new should match (hopefully):
www.virus.cn
0
 

Author Comment

by:joetac
ID: 24791434
thanks but it still does not work, currently trying:
$message_body: contains "http://[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"

I know the basic exim filtering works because other rules such as the following work fine:
$message_body: contains "phentermine"

By the way, I have also tried:
$message_body: contains "http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z\.]+cn"
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24792266
try:

"http\:\/\/([0-9a-z]\.)?[^/\s]+\.cn\W"
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24792280
oops

try this instead:

"http\:\/\/[0-9a-z]*\.?[0-9a-z]*\.?[0-9a-z]?\.?+cn\W"
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question