Willians,
After doing additional testing. Anything can be changed by the sender to cause the regex to make it so email can go thru. In your example below If I do badspammer.com.com this will also be blocked when using "badspammer\.com" same with badspammer.commcom.com The most correct if it worked but it doesn't seem to work would be @badspammer\.com$ ($ is a special character meaning end of string.) But the question states block badspammer.com it doesn't say to make sure that badspammermcom is not matched or any other form thereof. No matter what you put it cannot be 100% foolproof. So an acceptable answer would be badspammer.com badspammer\.com badspammer[.]com @badspammer.com @badspammer\.com @badspammer[.]com Any of those six answers will meet the requirements of the question. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Willians Barboza [mailto:[email protected]] Sent: Monday, May 11, 2009 7:11 PM To: Tyson Scott; OSL Security Subject: Re: [OSL | CCIE_Security] lab1.11 Well, I just did a test... I configured the testPC in the outside and used Outlook express. Then I enable debug on the ASA and sent a message with the sender address test at badspammermcom.com . Guess what? Connection reset. ciscoasa(config)# SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:4, match_len:4, reply_re_state:31 SMTP: REPLY - match id:28 SMTP: State changed to:13 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:51 SMTP: VERB - match id:5 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:21, match_len:17, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:43, match_len:43, reply_re_state:36 SMTP: REPLY - match id:41 SMTP: CHECK EHLO REPLY - eid:8 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:53 SMTP: VERB - match id:7 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:10, match_len:6, cmd_re_state:23 SMTP: CMD PARAM - match id:25 SMTP: State changed to:12 Reset connection Then, I changed the sender address to test at BaDSpammer.com <mailto:[email protected]> Guess what?? It passed!!! ciscoasa(config)# SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:4, match_len:4, reply_re_state:31 SMTP: REPLY - match id:28 SMTP: State changed to:13 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:51 SMTP: VERB - match id:5 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:21, match_len:17, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:43, match_len:43, reply_re_state:36 SMTP: REPLY - match id:41 SMTP: CHECK EHLO REPLY - eid:8 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:53 SMTP: VERB - match id:7 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:10, match_len:6, cmd_re_state:23 SMTP: CMD PARAM - match id:25 SMTP: State kept, no EID to use!!! SMTP: CMD PARAM - Cmd len:32, match_len:20, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:42, match_len:42, reply_re_state:36 SMTP: REPLY - match id:41 SMTP: CHECK EHLO REPLY - eid:8 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:56 SMTP: VERB - match id:10 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:26, match_len:22, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:26, match_len:26, reply_re_state:36 SMTP: REPLY - match id:41 SMTP: CHECK EHLO REPLY - eid:8 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:47 SMTP: VERB - match id:2 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:6, match_len:2, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:4, match_len:4, reply_re_state:35 SMTP: REPLY - match id:42 SMTP: REPLY DONE - eid: 9 SMTP: State changed to:7 SMTP: Initial state:7 SMTP: HDR SIG - hdr len:63, line len:63, match_len:63,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:97, line len:34, match_len:34,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:100, line len:3, match_len:3,cmd_re_state:13 SMTP: HDR - match id:46 SMTP: State changed to:8 SMTP: State kept, no EID to use!!! SMTP: State changed to:7 SMTP: HDR SIG - hdr len:128, line len:11, match_len:11,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:167, line len:39, match_len:39,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:186, line len:19, match_len:19,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:199, line len:13, match_len:13,cmd_re_state:56 SMTP: HDR - match id:47 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:224, line len:38, match_len:25,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:234, line len:10, match_len:10,cmd_re_state:29 SMTP: HDR - match id:49 SMTP HDR:Saving MIME boundary string. SMTP HDR:MIME boundary = ----=_NextPart_000_0031_01C9D26B.753CC3E0 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:279, line len:55, match_len:3,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:294, line len:15, match_len:15,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:321, line len:27, match_len:27,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:373, line len:52, match_len:52,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:431, line len:58, match_len:58,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State kept, no EID to use!!! SMTP: HDR SIG - hdr len:433, line len:2, match_len:2,cmd_re_state:1 SMTP: HDR - match id:50 SMTP: State changed to:9 SMTP: DATA SIG - data len:479, line len:46, match_len:46, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:481, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:483, line len:2, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State changed to:11 SMTP: MIME SIG - data len:526, line len:45, match_len:43,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:539, line len:13, match_len:13,cmd_re_state:24 SMTP: MIME - match id:51 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:553, line len:27, match_len:14,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:576, line len:23, match_len:23,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:602, line len:26, match_len:26,cmd_re_state:37 SMTP: MIME - match id:52 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:621, line len:45, match_len:19,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: State changed to:9 SMTP: DATA SIG - data len:623, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:625, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:627, line len:2, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State changed to:11 SMTP: MIME SIG - data len:670, line len:45, match_len:43,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:683, line len:13, match_len:13,cmd_re_state:24 SMTP: MIME - match id:51 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:696, line len:26, match_len:13,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:719, line len:23, match_len:23,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:745, line len:26, match_len:26,cmd_re_state:37 SMTP: MIME - match id:52 SMTP: State kept, no EID to use!!! SMTP: MIME SIG - data len:764, line len:45, match_len:19,cmd_re_state:2 SMTP: MIME - match id:54 SMTP: State kept, no EID to use!!! SMTP: State changed to:9 SMTP: DATA SIG - data len:766, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:830, line len:64, match_len:64, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:844, line len:14, match_len:14, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:901, line len:57, match_len:57, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:925, line len:24, match_len:24, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:984, line len:59, match_len:59, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1001, line len:17, match_len:17, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1010, line len:9, match_len:9, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1036, line len:26, match_len:26, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1069, line len:33, match_len:33, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1071, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1073, line len:2, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1075, line len:4, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1077, line len:6, match_len:2, cmd_re_state:3 SMTP: DATA SIG - match id:56 SMTP: State kept, no EID to use!!! SMTP: DATA SIG - data len:1118, line len:47, match_len:41, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: Initial state:9 SMTP: Initial state:9 SMTP: DATA SIG - data len:1120, line len:2, match_len:2, cmd_re_state:1 SMTP: DATA SIG - match id:55 SMTP: State kept, no EID to use!!! SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:44, match_len:44, reply_re_state:85 SMTP: REPLY - match id:44 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:2 SMTP: VERB - Match_len:4, cmd_re_state:55 SMTP: VERB - match id:9 SMTP: VERB - Cmd len:4 SMTP: State changed to:4 SMTP: CMD PARAM - Cmd len:6, match_len:2, cmd_re_state:4 SMTP: CMD PARAM - match id:27 SMTP: State changed to:1 SMTP: Initial state:1 SMTP: State changed to:5 SMTP: REPLY - Reply len:4, match_len:4, reply_re_state:32 SMTP: REPLY - match id:29 SMTP: REPLY DONE - eid: 8 SMTP: State changed to:1 221 reply detected. So, ext being deleted now. SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 SMTP: Initial state:1 So, the good expression would be: [Bb][Aa][Dd][Ss][Pp][Aa][Mm][Mm][Ee][Rr]\.[Cc][Oo][Mm] or [Bb][Aa][Dd][Ss][Pp][Aa][Mm][Mm][Ee][Rr][.][Cc][Oo][Mm] With this, it doesn't matter the capitalization and it would only match the dot as character... 2009/5/11 Tyson Scott <[email protected]> William, The examples are good that you have below. And if you look in the book Cisco ASA, PIX, and FWSM handbook at some of the regex examples they have for domain matching you will find sometimes they do the domain.com <http://domain.com/> domain\.com and @domain.com <http://domain.com/> . All acceptable answers. But I would prefer the way you did it over the solution configuration as it would be more precise but I haven't seen a domain that doesn't end in a suffix so I wouldn't worry too much about the fact that . is the "any" character. I may possibly add a note to the solution configuration giving more information for those that don't understand regular expressions. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Willians Barboza Sent: Sunday, May 10, 2009 7:02 PM To: OSL Security Subject: [OSL | CCIE_Security] lab1.11 Hi, I think the regex expression you put is not correct... The documentation says that a dot [.] without bracket will match any caracter. Then, just to test, I used the test regex command ciscoasa# test regex badspammermcom "badspammer.com <http://badspammer.com/> " INFO: Regular expression match succeeded. In my opinion, the expression should be one of those: "badspammer[.]com" "badspammer\.com" So that it would only match the exact domain, but not something similar Check my tests ciscoasa# test regex badspammermcom "badspammer[.]com" INFO: Regular expression match failed. ciscoasa# test regex badspammer.com <http://badspammer.com/> "badspammer[.]com" INFO: Regular expression match succeeded. ciscoasa# test regex badspammer.com <http://badspammer.com/> "badspammer\.com" INFO: Regular expression match succeeded. ciscoasa# test regex badspammermcom "badspammer\.com" INFO: Regular expression match failed. Regards
