3 # $Id: system_filter.exim,v 1.4 2001/05/22 08:18:31 nigel Exp $
5 ## Exim system filter to refuse potentially harmful payloads in
7 ## (c) 2000-2001 Nigel Metheringham <nigel@exim.org>
9 ## This program is free software; you can redistribute it and/or modify
10 ## it under the terms of the GNU General Public License as published by
11 ## the Free Software Foundation; either version 2 of the License, or
12 ## (at your option) any later version.
14 ## This program is distributed in the hope that it will be useful,
15 ## but WITHOUT ANY WARRANTY; without even the implied warranty of
16 ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 ## GNU General Public License for more details.
19 ## You should have received a copy of the GNU General Public License
20 ## along with this program; if not, write to the Free Software
21 ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 ## -A copy of the GNU General Public License is distributed with exim itself
24 ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
25 ## If you haven't worked with exim filters before, read
26 ## the install notes at the end of this file.
27 ## The install notes are not a replacement for the exim documentation
28 ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
31 ## -----------------------------------------------------------------------
32 # Only run any of this stuff on the first pass through the
33 # filter - this is an optomisation for messages that get
34 # queued and have several delivery attempts
36 # we express this in reverse so we can just bail out
37 # on inappropriate messages
44 ## -----------------------------------------------------------------------
45 # Check for MS buffer overruns as per BUGTRAQ.
46 # http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
47 # This could happen in error messages, hence its placing
49 # We substract the first n characters of the date header
50 # and test if its the same as the date header... which
51 # is a lousy way of checking if the date is longer than
53 if ${length_80:$header_date:} is not $header_date:
55 fail text "This message has been rejected because it has\n\
56 an overlength date field which can be used\n\
57 to subvert Microsoft mail programs\n\
58 The following URL has further information\n\
59 http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
63 ## -----------------------------------------------------------------------
64 # These messages are now being sent with a <> envelope sender, but
65 # blocking all error messages that pattern match prevents
66 # bounces getting back.... so we fudge it somewhat and check for known
67 # header signatures. Other bounces are allowed through.
68 if $header_from: contains "@sexyfun.net"
70 fail text "This message has been rejected since it has\n\
71 the signature of a known virus in the header."
74 if error_message and $header_from: contains "Mailer-Daemon@"
76 # looks like a real error message - just ignore it
80 ## -----------------------------------------------------------------------
81 # Look for single part MIME messages with suspicious name extensions
82 # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
83 if $header_content-type: matches "[[content_type_quoted_fn_match]]"
85 fail text "This message has been rejected because it has\n\
86 potentially executable content $1\n\
87 This form of attachment has been used by\n\
88 recent viruses or other malware.\n\
89 If you meant to send this file then please\n\
90 package it up as a zip file and resend it."
93 # same again using unquoted filename [content_type_unquoted_fn_match]
94 if $header_content-type: matches "[[content_type_unquoted_fn_match]]"
96 fail text "This message has been rejected because it has\n\
97 potentially executable content $1\n\
98 This form of attachment has been used by\n\
99 recent viruses or other malware.\n\
100 If you meant to send this file then please\n\
101 package it up as a zip file and resend it."
106 ## -----------------------------------------------------------------------
107 # Attempt to catch embedded VBS attachments
108 # in emails. These were used as the basis for
109 # the ILOVEYOU virus and its variants - many many varients
110 # Quoted filename - [body_quoted_fn_match]
111 if $message_body matches "[[body_quoted_fn_match]]"
113 fail text "This message has been rejected because it has\n\
114 a potentially executable attachment $1\n\
115 This form of attachment has been used by\n\
116 recent viruses or other malware.\n\
117 If you meant to send this file then please\n\
118 package it up as a zip file and resend it."
121 # same again using unquoted filename [body_unquoted_fn_match]
122 if $message_body matches "[[body_unquoted_fn_match]]"
124 fail text "This message has been rejected because it has\n\
125 a potentially executable attachment $1\n\
126 This form of attachment has been used by\n\
127 recent viruses or other malware.\n\
128 If you meant to send this file then please\n\
129 package it up as a zip file and resend it."
132 ## -----------------------------------------------------------------------
140 # Widened list of content-types accepted, added WSF extension
142 # Embedded the install notes in for those that don't do manuals
144 # Check global content-type header. Efficiency mods to REs
146 # More minor efficiency mods, doc changes
148 # Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
150 # Latest MS Outhouse bug catching
152 # Changed trigger length to 80 chars, fixed some spelling
153 # 0.09 29 September 2000
154 # More extensions... its getting so we should just allow 2 or 3 through
155 # 0.10 18 January 2001
156 # Removed exclusion for error messages - this is a little nasty
157 # since it has other side effects, hence we do still exclude
158 # on unix like error messages
159 # 0.11 20 March, 2001
160 # Added CMD extension, tidied docs slightly, added RCS tag
161 # ** Missed changing version number at top of file :-(
163 # Added HTA extension
165 # Reformatted regexps and code to build them so that they are
166 # shorter than the limits on pre exim 3.20 filters. This will
167 # make them significantly less efficient, but I am getting so
168 # many queries about this that requiring 3.2x appears unsupportable.
169 # 0.14 15 August,2001
170 # Added .lnk extension - most requested item :-)
171 # Reformatted everything so its now built from a set of short
172 # library files, cutting down on manual duplication.
173 # Changed \w in filename detection to . - dodges locale problems
174 # Explicit application of GPL after queries on license status
178 # Exim filters run the exim filter language - a very primitive
179 # scripting language - in place of a user .forward file, or on
180 # a per system basis (on all messages passing through).
181 # The filtering capability is documented in the main set of manuals
182 # a copy of which can be found on the exim web site
183 # http://www.exim.org/
185 # To install, copy the filter file (with appropriate permissions)
186 # to /etc/exim/system_filter.exim and add to your exim config file
187 # [location is installation depedant - typicaly /etc/exim/config ]
188 # in the first section the line:-
189 # message_filter = /etc/exim/system_filter.exim
190 # message_body_visible = 5000
192 # You may also want to set the message_filter_user & message_filter_group
193 # options, but they default to the standard exim user and so can
194 # be left untouched. The other message_filter_* options are only
195 # needed if you modify this to do other functions such as deliveries.
196 # The main exim documentation is quite thorough and so I see no need
197 # to expand it here...
199 # Any message that matches the filter will then be bounced.
200 # If you wish you can change the error message by editing it
201 # in the section above - however be careful you don't break it.
203 # After install exim should be restarted - a kill -HUP to the
204 # daemon will do this.
208 # This filter tries to parse MIME with a regexp... that doesn't
209 # work too well. It will also only see the amount of the body
210 # specified in message_body_visible
214 # The regexp that is used to pickup MIME/uuencoded body parts with
215 # quoted filenames is replicated below (in perl format).
216 # You need to remember that exim converts newlines to spaces in
217 # the message_body variable.
219 [<body_quoted_fn_match>]