# Exim filter
-## Version: 0.08
+## Version: 0.13
+# $Id: system_filter.exim,v 1.3 2001/05/18 10:28:13 nigel Exp $
## If you haven't worked with exim filters before, read
## the install notes at the end of this file.
seen finish
endif
-# drop out error messages here
-if error_message
+# This is a nasty compromise.
+# This crud is now being sent with a <> envelope sender, but
+# blocking all error messages that pattern match prevents
+# bounces getting back.... so we fudge it somewhat
+if $header_from: contains "@sexyfun.net"
then
+ fail text "This message has been rejected since it has\n\
+ \tthe signature of a known virus in the header."
+ seen finish
+endif
+if error_message and $header_from: contains "Mailer-Daemon@"
+then
+ # looks like a real error message - just ignore it
finish
endif
# Look for single part MIME messages with suspicious name extensions
-# Check Content-Type header [vb2_regexp]
-if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat))"
+# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
+if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")"
+then
+ fail text "This message has been rejected because it has\n\
+ \tpotentially executable content $1\n\
+ \tThis form of attachment has been used by\n\
+ \trecent viruses or other malware.\n\
+ \tIf you meant to send this file then please\n\
+ \tpackage it up as a zip file and resend it."
+ seen finish
+endif
+# same again using unquoted filename [content_type_unquoted_fn_match]
+if $header_content-type: matches "(?:file)?name=([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))"
then
fail text "This message has been rejected because it has\n\
- \tan apparently executable attachment $1\n\
+ \tpotentially executable content $1\n\
\tThis form of attachment has been used by\n\
- \trecent viruses such as that described in\n\
- \thttp://www.fsecure.com/v-descs/love.htm\n\
+ \trecent viruses or other malware.\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
endif
+
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants
-# [vb_regexp]
-if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat))[\\\\s;]"
+# Quoted filename - [body_quoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
- \tan apparently executable attachment $1\n\
+ \ta potentially executable attachment $1\n\
\tThis form of attachment has been used by\n\
- \trecent viruses such as that described in\n\
- \thttp://www.fsecure.com/v-descs/love.htm\n\
+ \trecent viruses or other malware.\n\
+ \tIf you meant to send this file then please\n\
+ \tpackage it up as a zip file and resend it."
+ seen finish
+endif
+# same again using unquoted filename [body_unquoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]"
+then
+ fail text "This message has been rejected because it has\n\
+ \ta potentially executable attachment $1\n\
+ \tThis form of attachment has been used by\n\
+ \trecent viruses or other malware.\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
# Latest MS Outhouse bug catching
# 0.08 19 July 2000
# Changed trigger length to 80 chars, fixed some spelling
+# 0.09 29 September 2000
+# More extensions... its getting so we should just allow 2 or 3 through
+# 0.10 18 January 2001
+# Removed exclusion for error messages - this is a little nasty
+# since it has other side effects, hence we do still exclude
+# on unix like error messages
+# 0.11 20 March, 2001
+# Added CMD extension, tidied docs slightly, added RCS tag
+# ** Missed changing version number at top of file :-(
+# 0.12 10 May, 2001
+# Added HTA extension
+# 0.13 22 May, 2001
+# Reformatted regexps and code to build them so that they are
+# shorter than the limits on pre exim 3.20 filters. This will
+# make them significantly less efficient, but I am getting so
+# many queries about this that requiring 3.2x appears unsupportable.
#
#### Install Notes
#
# message_filter = /etc/exim/system_filter.exim
# message_body_visible = 5000
#
+# You may also want to set the message_filter_user & message_filter_group
+# options, but they default to the standard exim user and so can
+# be left untouched. The other message_filter_* options are only
+# needed if you modify this to do other functions such as deliveries.
+# The main exim documentation is quite thorough and so I see no need
+# to expand it here...
+#
# Any message that matches the filter will then be bounced.
# If you wish you can change the error message by editing it
# in the section above - however be careful you don't break it.
# |jse?
# |exe
# |com
+# |cmd
# |shs
-# |bat)
+# |hta
+# |bat
+# |scr
+# |pif)
# \" # end quote
# |[\w.-]+\. # unquoted filename.ext
# (?:vb[se] # list of extns
# |jse?
# |exe
# |com
+# |cmd
# |shs
-# |bat)
+# |hta
+# |bat
+# |scr
+# |pif)
# ) # end of filename capture
-# [\s;] # trailing ;/space/newline
+# [\s;] # trailing ;/space/newline
#
#
### [End]