Jump to content

Stopping spam with links to Russian malware websites


Recommended Posts

If you're like me and you are sick and tired of being inundated with spam containing links to .ru websites trying to get you to download malware, this handy RegEx will do the trick.

[Hh][Tt][Tt][Pp][ss]?[:][/][/][A-Za-z0-9_\-.]*[.]([Rr][uu])([/][^ \t\n\r\f]+|[^A-Za-z0-9_\-]|$)

In my case, I use it in a custom signature inspecting the body of emails traversing my Cisco IDS/IPS system to instantly drop the packet, drop the connection from the offending mail server and reset the TCP connection to my mail server, which acts as a tarpit delay leaving an open connection to the offending mail server while closing the connection on my mail server.

This RegEx could easily be adapted to mail systems such as Zimbra that use Postfix with spam Assassin or others that make use of regular expressions.

I have another I'll post that works in conjunction with SpamCop to ensure servers identified as known spam sources by SpamCop will be denied port 25 SMTP connections.

David Kopacz, CTO


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...