Jump to content

Stopping spam with links to Russian malware websites


Recommended Posts

If you're like me and you are sick and tired of being inundated with spam containing links to .ru websites trying to get you to download malware, this handy RegEx will do the trick.

[Hh][Tt][Tt][Pp][ss]?[:][/][/][A-Za-z0-9_\-.]*[.]([Rr][uu])([/][^ \t\n\r\f]+|[^A-Za-z0-9_\-]|$)

In my case, I use it in a custom signature inspecting the body of emails traversing my Cisco IDS/IPS system to instantly drop the packet, drop the connection from the offending mail server and reset the TCP connection to my mail server, which acts as a tarpit delay leaving an open connection to the offending mail server while closing the connection on my mail server.

This RegEx could easily be adapted to mail systems such as Zimbra that use Postfix with spam Assassin or others that make use of regular expressions.

I have another I'll post that works in conjunction with SpamCop to ensure servers identified as known spam sources by SpamCop will be denied port 25 SMTP connections.

David Kopacz, CTO


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...