Jump to content
Sign in to follow this  

Stopping spam with links to Russian malware websites

Recommended Posts

If you're like me and you are sick and tired of being inundated with spam containing links to .ru websites trying to get you to download malware, this handy RegEx will do the trick.

[Hh][Tt][Tt][Pp][ss]?[:][/][/][A-Za-z0-9_\-.]*[.]([Rr][uu])([/][^ \t\n\r\f]+|[^A-Za-z0-9_\-]|$)

In my case, I use it in a custom signature inspecting the body of emails traversing my Cisco IDS/IPS system to instantly drop the packet, drop the connection from the offending mail server and reset the TCP connection to my mail server, which acts as a tarpit delay leaving an open connection to the offending mail server while closing the connection on my mail server.

This RegEx could easily be adapted to mail systems such as Zimbra that use Postfix with spam Assassin or others that make use of regular expressions.

I have another I'll post that works in conjunction with SpamCop to ensure servers identified as known spam sources by SpamCop will be denied port 25 SMTP connections.

David Kopacz, CTO


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this