Mailing List Archive

URL in content mail
Helo
Is it possible to delete the mail containing the content of the url
eg. content in mail is http://url address.

regrads
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: URL in content mail [ In reply to ]
On 11/12/2018 12:22, S?awomir Dworaczek via Exim-users wrote:
> Is it possible to delete the mail containing the content of the url
> eg. content in mail is http://url address.

acl, deny, condition, ${if, match, $message_body
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: URL in content mail [ In reply to ]
thanks for reply

what would the regex rule look like for all links in the content that look
like this http://whole.thic.com/pe/domaincontrol.html?email=2cd10@7bbbd
http://eubersu.zacas.com/s210/sav.php?email=b2067@25b40
http://fees.3rdpartypolitics.com/citrix2/web01.php?email=434535

from org, net and us domains

e.t.c
Recently, spam reports come a lot


----- Original Message -----
From: "Jeremy Harris via Exim-users" <exim-users@exim.org>
To: <exim-users@exim.org>
Sent: Tuesday, December 11, 2018 1:57 PM
Subject: Re: [exim] URL in content mail


> On 11/12/2018 12:22, S?awomir Dworaczek via Exim-users wrote:
>> Is it possible to delete the mail containing the content of the url
>> eg. content in mail is http://url address.
>
> acl, deny, condition, ${if, match, $message_body
> --
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: URL in content mail [ In reply to ]
On Tue, 11 Dec 2018, S?awomir Dworaczek via Exim-users wrote:

> From: S?awomir Dworaczek via Exim-users <exim-users@exim.org>
> To: exim-users@exim.org
> Date: Tue, 11 Dec 2018 13:22:22 +0100
> Subject: [exim] URL in content mail
>
> Is it possible to delete the mail containing the content of the url
> eg. content in mail is http://url address.

You don't say exactly why you want to reject such emails. I suspect
they may be the usual collection of spam, phishing emails etc. If
so, then the ClamAV virus scanner might help. I remember it being
useful for this purpose a few years ago. I haven't worked in this
area for a while. But I suspect that things haven't changed too
much.

The ClamAV virus scanner integrates well with exim. Usage is
described in Chapter 44 of the exim manual. If you're running this
virus scanner, you may find that some of the unofficial third-party
signatures will do at least part of the rejection for you.

Compiling lists of dodgy URLs for yourself is an endless game of
whack-a-mole[1]. The novelty of doing this soon wears off. Better
if ClamAV virus signatures can recognise most of this stuff and
reject it for you.

See:

https://sanesecurity.com/

and:

https://sanesecurity.com/usage/signatures/


[1] https://en.wikipedia.org/wiki/Whac-A-Mole
--
Dennis Davis <dennisdavis@fastmail.fm>
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: URL in content mail [ In reply to ]
On Tue, 11 Dec 2018 at 18:22, S?awomir Dworaczek via Exim-users <
exim-users@exim.org> wrote:

> thanks for reply
>
> what would the regex rule look like for all links in the content that look
> like this http://whole.thic.com/pe/domaincontrol.html?email=2cd10@7bbbd
> http://eubersu.zacas.com/s210/sav.php?email=b2067@25b40
> http://fees.3rdpartypolitics.com/citrix2/web01.php?email=434535
>
> from org, net and us domains
>
> e.t.c
> Recently, spam reports come a lot
>
>
What exactly are you trying to achieve?

I think you could control a lot of spam using rspamd these days. However,
if you want to do this manually (whack-a-mole, I hear it being called),
then look into using the system filter.

if $message_body contains "this|that|other"
then
seen
finish
endif

You can log snippets of what the filter rule is doing in some file that you
can brood over and see if you are doing the right thing.
I advise you look into rspamd. It does some good work with urls and guess
what? You let it handle all this within itself and it decides on the
actions.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: URL in content mail [ In reply to ]
I have always used clamav but he unfortunately does not recognize viruses by url. Appointments yes, I can do it
----- Original Message -----
From: Odhiambo Washington
To: slawek@dworaczek.info
Cc: exim users
Sent: Wednesday, December 12, 2018 10:04 AM
Subject: Re: [exim] URL in content mail





On Tue, 11 Dec 2018 at 18:22, S?awomir Dworaczek via Exim-users <exim-users@exim.org> wrote:

thanks for reply



from org, net and us domains

e.t.c
Recently, spam reports come a lot




What exactly are you trying to achieve?


I think you could control a lot of spam using rspamd these days. However, if you want to do this manually (whack-a-mole, I hear it being called), then look into using the system filter.


if $message_body contains "this|that|other"
then
seen
finish
endif


You can log snippets of what the filter rule is doing in some file that you can brood over and see if you are doing the right thing.
I advise you look into rspamd. It does some good work with urls and guess what? You let it handle all this within itself and it decides on the actions.




--

Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: URL in content mail [ In reply to ]
On Wed, Dec 12, 2018 at 1:25 PM S?awomir Dworaczek via Exim-users <
exim-users@exim.org> wrote:

> I have always used clamav but he unfortunately does not recognize viruses
> by url. Appointments yes, I can do it


With SpamAssassin ("SA" hereafter), make your own rule to e.g.
local_url_rules.cf, something like this, test and adapt as necessary:

uri __LOCAL_URI_EMAIL_IN_GET_REQUEST /\?email=[^\@]+\@[^\@]+$/

Then you can combine this in another SA meta rule, e.g. like this:

header __FROM_DOT_ORG From =~ /\@[^@]+\.org>?$/
header __FROM_DOT_NET From =~ /\@[^@]+\.net>?$/
header __FROM_DOT_US From =~ /\@[^@]+\.us>?$/


meta LOCAL_CONTENT_POLICY_001 __LOCAL_URI_EMAIL_IN_GET_REQUEST &&
(__FROM_DOT_ORG || __FROM_DOT_NET || __FROM_DOT_US)
describe LOCAL_CONTENT_POLICY_001 Local content policy
score LOCAL_CONTENT_POLICY_001 0.1

Set the score to something more than 0.1 when you are satisfied that there
are few enough false positives and enough true positives.
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/