Well, I just did a test... I configured the testPC in the outside and used Outlook express. Then I enable debug on the ASA and sent a message with the sender address test at badspammermcom.com . Guess what? Connection reset.
ciscoasa(config)# SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:4, match_len:4, reply_re_state:31 SMTP: REPLY - match id:28 SMTP: State changed to:13 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:51 SMTP: VERB - match id:5 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:21, match_len:17, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:43, match_len:43, reply_re_state:36 SMTP: REPLY - match id:41 SMTP: CHECK EHLO REPLY - eid:8 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:53 SMTP: VERB - match id:7 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:10, match_len:6, cmd_re_state:23 SMTP: CMD PARAM - match id:25 SMTP: State changed to:12 Reset connection Then, I changed the sender address to test at BaDSpammer.com<[email protected]> Guess what?? It passed!!! ciscoasa(config)# SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:4, match_len:4, reply_re_state:31 SMTP: REPLY - match id:28 SMTP: State changed to:13 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:51 SMTP: VERB - match id:5 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:21, match_len:17, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:43, match_len:43, reply_re_state:36 SMTP: REPLY - match id:41 SMTP: CHECK EHLO REPLY - eid:8 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:53 SMTP: VERB - match id:7 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:10, match_len:6, cmd_re_state:23 SMTP: CMD PARAM - match id:25 SMTP: State kept, no EID to use!!! SMTP: CMD PARAM - Cmd len:32, match_len:20, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:42, match_len:42, reply_re_state:36 SMTP: REPLY - match id:41 SMTP: CHECK EHLO REPLY - eid:8 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:56 SMTP: VERB - match id:10 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:26, match_len:22, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:26, match_len:26, reply_re_state:36 SMTP: REPLY - match id:41 SMTP: CHECK EHLO REPLY - eid:8 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:47 SMTP: VERB - match id:2 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:6, match_len:2, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:4, match_len:4, reply_re_state:35 SMTP: REPLY - match id:42 SMTP: REPLY DONE - eid: 9 SMTP: State changed to:7 SMTP: Initial state:7 SMTP: HDR SIG - hdr len:63, line len:63, match_len:63,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:97, line len:34, match_len:34,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:100, line len:3, match_len:3,cmd_re_state:13 SMTP: HDR - match id:46 SMTP: State changed to:8 SMTP: State kept, no EID to use!!! SMTP: State changed to:7 SMTP: HDR SIG - hdr len:128, line len:11, match_len:11,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:167, line len:39, match_len:39,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:186, line len:19, match_len:19,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:199, line len:13, match_len:13,cmd_re_state:56 SMTP: HDR - match id:47 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:224, line len:38, match_len:25,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:234, line len:10, match_len:10,cmd_re_state:29 SMTP: HDR - match id:49 SMTP HDR:Saving MIME boundary string. SMTP HDR:MIME boundary = ----=_NextPart_000_0031_01C9D26B.753CC3E0 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:279, line len:55, match_len:3,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:294, line len:15, match_len:15,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:321, line len:27, match_len:27,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:373, line len:52, match_len:52,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:431, line len:58, match_len:58,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:433, line len:2, match_len:2,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State changed to:9 SMTP: DATA SIG - data len:479, line len:46, match_len:46, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:481, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:483, line len:2, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State changed to:11 SMTP: MIME SIG - data len:526, line len:45, match_len:43,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:539, line len:13, match_len:13,cmd_re_state:24 SMTP: MIME - match id:51 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:553, line len:27, match_len:14,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:576, line len:23, match_len:23,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:602, line len:26, match_len:26,cmd_re_state:37 SMTP: MIME - match id:52 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:621, line len:45, match_len:19,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: State changed to:9 SMTP: DATA SIG - data len:623, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:625, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:627, line len:2, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State changed to:11 SMTP: MIME SIG - data len:670, line len:45, match_len:43,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:683, line len:13, match_len:13,cmd_re_state:24 SMTP: MIME - match id:51 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:696, line len:26, match_len:13,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:719, line len:23, match_len:23,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:745, line len:26, match_len:26,cmd_re_state:37 SMTP: MIME - match id:52 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:764, line len:45, match_len:19,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: State changed to:9 SMTP: DATA SIG - data len:766, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:830, line len:64, match_len:64, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:844, line len:14, match_len:14, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:901, line len:57, match_len:57, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:925, line len:24, match_len:24, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:984, line len:59, match_len:59, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1001, line len:17, match_len:17, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1010, line len:9, match_len:9, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1036, line len:26, match_len:26, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1069, line len:33, match_len:33, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1071, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1073, line len:2, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1075, line len:4, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1077, line len:6, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1118, line len:47, match_len:41, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: Initial state:9 SMTP: Initial state:9 SMTP: DATA SIG - data len:1120, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:44, match_len:44, reply_re_state:85 SMTP: REPLY - match id:44 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:55 SMTP: VERB - match id:9 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:6, match_len:2, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:4, match_len:4, reply_re_state:32 SMTP: REPLY - match id:29 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 221 reply detected. So, ext being deleted now. SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 So, the good expression would be: [Bb][Aa][Dd][Ss][Pp][Aa][Mm][Mm][Ee][Rr]\.[Cc][Oo][Mm] or [Bb][Aa][Dd][Ss][Pp][Aa][Mm][Mm][Ee][Rr][.][Cc][Oo][Mm] With this, it doesn't matter the capitalization and it would only match the dot as character... 2009/5/11 Tyson Scott <[email protected]> > William, > > > > The examples are good that you have below. > > > > And if you look in the book Cisco ASA, PIX, and FWSM handbook at some of > the regex examples they have for domain matching you will find sometimes > they do the domain.com domain\.com and @domain.com. All acceptable > answers. > > > > But I would prefer the way you did it over the solution configuration as it > would be more precise but I haven’t seen a domain that doesn’t end in a > suffix so I wouldn’t worry too much about the fact that . is the “any” > character. > > > > I may possibly add a note to the solution configuration giving more > information for those that don’t understand regular expressions. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Willians Barboza > *Sent:* Sunday, May 10, 2009 7:02 PM > *To:* OSL Security > *Subject:* [OSL | CCIE_Security] lab1.11 > > > > Hi, > > > > I think the regex expression you put is not correct... > > > > The documentation says that a dot [.] without bracket will match any > caracter. Then, just to test, I used the test regex command > > > > ciscoasa# test regex badspammermcom "badspammer.com" > INFO: Regular expression match succeeded. > > > > In my opinion, the expression should be one of those: > > "badspammer[.]com" > > "badspammer\.com" > > > > So that it would only match the exact domain, but not something similar > > Check my tests > > > > ciscoasa# test regex badspammermcom "badspammer[.]com" > INFO: Regular expression match failed. > ciscoasa# test regex badspammer.com "badspammer[.]com" > INFO: Regular expression match succeeded. > ciscoasa# test regex badspammer.com "badspammer\.com" > INFO: Regular expression match succeeded. > ciscoasa# test regex badspammermcom "badspammer\.com" > INFO: Regular expression match failed. > > > > Regards >
