?
Solved

GFI Mail Essential, How to filter URL only spam with regular expression

Posted on 2013-12-09
8
Medium Priority
?
630 Views
Last Modified: 2013-12-10
I contacted GFI support and forum, they claim it's possible to filter emails containing URL only, no text before and after. But it seems to be not working, to me it looks as the regular expression engine they use check line by line, not applying regular expression to the entire body text. If you use GFI MailEssential, how do you overcome this limit?

For example, when I tried to filter emails containing only URL, not text before and after with/without new line character, I put this;

e= ^http:\/\/[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(\/\S*)+$

But it filters both 'text +  e', 'e+text', text+e+text'. The ^ and $ is only applied to line, not entire text, looks like...
0
Comment
Question by:crcsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 9

Assisted Solution

by:Derek Jensen
Derek Jensen earned 2000 total points
ID: 39706516
There should be a switch/modifier you can use to turn on finding newlines as part of the text, rather than terminating the text string at them. Commonly, the switch is 's' or 'm', as in:

e= (?m)^http:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,3}(\/\S*)+$

Open in new window

I'm not sure this is correct, but I assume it is based on my preliminary research on GFI/Tcl.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39707227
It takes (?m), but it seems to restart the input string when there's line break...
I may keep this thread while I research more..
0
 
LVL 9

Assisted Solution

by:Derek Jensen
Derek Jensen earned 2000 total points
ID: 39709022
Did you try (?s) ? Also try (?D) or (?d) , I've seen those before as newline match modifiers as well. If none of those work...

Wait. What *exactly* are you trying to find/filter? Upon re-reading your request, it sounds like you're looking for emails containing *only* a URL in the body, is that correct?

In any case, you're always welcome to try this regex:

e= ^(\r|\n|\s|\t)*http:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,3}\/(\/|\S)*(\r|\n|\t|\s)*$

Open in new window

I refactored it so it would (hopefully) account for anything before/after a URL that's not text.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 1

Author Comment

by:crcsupport
ID: 39709296
Same thing in GFI MailEssential, I tried yours and changed a bit to;

^http:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,3}(\/\S*)+\s+$

It captures;

"http://asfsadfasdfds.com/asdfsdfas 

"

but also captures :
"http://asfsadfasdfds.com/asdfsdfas 

sdfasdfasdfsadf"

I tested on regular expression checker for the expression at http://regex101.com, it works as it's expected. But, GFI MailEssential doesn't work, it seems like their engine doesn't know how to do multiline mode. I used (?m) and others after researching online, none of them is taken as multiline mode
0
 
LVL 9

Accepted Solution

by:
Derek Jensen earned 2000 total points
ID: 39709323
okay, let's try this one then:

^http:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,3}(\/\S*)+\s*?[^a-zA-Z]$

Open in new window

0
 
LVL 1

Author Comment

by:crcsupport
ID: 39709380
nope... it stops right after it finds the pattern and gives false positive.

Match in body triggered rule "URL Only" (Match found: http://sadfsadfdsaf.com/asdfasdfasdf )

for both

"http://sadfsadfdsaf.com/asdfasdfasdf

"

and
"http://sadfsadfdsaf.com/asdfasdfasdf

sssss"
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39709406
I contacted GFI support, they have no idea what multiline mode is, asks me to post in http://ideas.gfi.com. well...
Thank you bigdogdman anyway for your efforts.
0
 
LVL 9

Expert Comment

by:Derek Jensen
ID: 39710309
Wow....didn't see that one coming...

They must have a highly proprietary (and highly stripped-down) regex engine; good luck with that; hope everything works out. :-)
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question