# Exim filter
-## Version: 0.09
+## Version: 0.16
+# $Id: system_filter.exim,v 1.8 2001/09/19 10:20:22 nigel Exp $
+## Exim system filter to refuse potentially harmful payloads in
+## mail messages
+## (c) 2000-2001 Nigel Metheringham <nigel@exim.org>
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+## -A copy of the GNU General Public License is distributed with exim itself
+
+## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
## If you haven't worked with exim filters before, read
## the install notes at the end of this file.
+## The install notes are not a replacement for the exim documentation
+## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-#
+
+## -----------------------------------------------------------------------
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have several delivery attempts
finish
endif
-# Check for MS buffer overruns as per latest BUGTRAQ.
+## -----------------------------------------------------------------------
+# Check for MS buffer overruns as per BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
if ${length_80:$header_date:} is not $header_date:
then
fail text "This message has been rejected because it has\n\
- \tan overlength date field which can be used\n\
- \tto subvert Microsoft mail programs\n\
- \tThe following URL has further information\n\
- \thttp://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
+ an overlength date field which can be used\n\
+ to subvert Microsoft mail programs\n\
+ The following URL has further information\n\
+ http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
seen finish
endif
-# drop out error messages here
-if error_message
+## -----------------------------------------------------------------------
+# These messages are now being sent with a <> envelope sender, but
+# blocking all error messages that pattern match prevents
+# bounces getting back.... so we fudge it somewhat and check for known
+# header signatures. Other bounces are allowed through.
+if $header_from: contains "@sexyfun.net"
+then
+ fail text "This message has been rejected since it has\n\
+ the signature of a known virus in the header."
+ seen finish
+endif
+if error_message and $header_from: contains "Mailer-Daemon@"
then
+ # looks like a real error message - just ignore it
finish
endif
+## -----------------------------------------------------------------------
# Look for single part MIME messages with suspicious name extensions
-# Check Content-Type header [vb2_regexp]
-if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))"
+# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
+if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
+then
+ fail text "This message has been rejected because it has\n\
+ potentially executable content $1\n\
+ This form of attachment has been used by\n\
+ recent viruses or other malware.\n\
+ If you meant to send this file then please\n\
+ package it up as a zip file and resend it."
+ seen finish
+endif
+# same again using unquoted filename [content_type_unquoted_fn_match]
+if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
then
fail text "This message has been rejected because it has\n\
- \ta potentially executable attachment $1\n\
- \tThis form of attachment has been used by\n\
- \trecent viruses such as that described in\n\
- \thttp://www.fsecure.com/v-descs/love.htm\n\
- \tIf you meant to send this file then please\n\
- \tpackage it up as a zip file and resend it."
+ potentially executable content $1\n\
+ This form of attachment has been used by\n\
+ recent viruses or other malware.\n\
+ If you meant to send this file then please\n\
+ package it up as a zip file and resend it."
seen finish
endif
+
+## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
-# the ILOVEYOU virus and its variants
-# [vb_regexp]
-if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
+# the ILOVEYOU virus and its variants - many many varients
+# Quoted filename - [body_quoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
+then
+ fail text "This message has been rejected because it has\n\
+ a potentially executable attachment $1\n\
+ This form of attachment has been used by\n\
+ recent viruses or other malware.\n\
+ If you meant to send this file then please\n\
+ package it up as a zip file and resend it."
+ seen finish
+endif
+# same again using unquoted filename [body_unquoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
- \ta potentially executable attachment $1\n\
- \tThis form of attachment has been used by\n\
- \trecent viruses such as that described in\n\
- \thttp://www.fsecure.com/v-descs/love.htm\n\
- \tIf you meant to send this file then please\n\
- \tpackage it up as a zip file and resend it."
+ a potentially executable attachment $1\n\
+ This form of attachment has been used by\n\
+ recent viruses or other malware.\n\
+ If you meant to send this file then please\n\
+ package it up as a zip file and resend it."
seen finish
endif
+## -----------------------------------------------------------------------
+
#### Version history
#
# Changed trigger length to 80 chars, fixed some spelling
# 0.09 29 September 2000
# More extensions... its getting so we should just allow 2 or 3 through
+# 0.10 18 January 2001
+# Removed exclusion for error messages - this is a little nasty
+# since it has other side effects, hence we do still exclude
+# on unix like error messages
+# 0.11 20 March, 2001
+# Added CMD extension, tidied docs slightly, added RCS tag
+# ** Missed changing version number at top of file :-(
+# 0.12 10 May, 2001
+# Added HTA extension
+# 0.13 22 May, 2001
+# Reformatted regexps and code to build them so that they are
+# shorter than the limits on pre exim 3.20 filters. This will
+# make them significantly less efficient, but I am getting so
+# many queries about this that requiring 3.2x appears unsupportable.
+# 0.14 15 August,2001
+# Added .lnk extension - most requested item :-)
+# Reformatted everything so its now built from a set of short
+# library files, cutting down on manual duplication.
+# Changed \w in filename detection to . - dodges locale problems
+# Explicit application of GPL after queries on license status
+# 0.15 17 August, 2001
+# Changed the . in filename detect to \S (stops it going mad)
+# 0.16 19 September, 2001
+# Pile of new extensions including the eml in current use
#
#### Install Notes
#
# To install, copy the filter file (with appropriate permissions)
# to /etc/exim/system_filter.exim and add to your exim config file
# [location is installation depedant - typicaly /etc/exim/config ]
-# at the top the line:-
+# in the first section the line:-
# message_filter = /etc/exim/system_filter.exim
# message_body_visible = 5000
#
+# You may also want to set the message_filter_user & message_filter_group
+# options, but they default to the standard exim user and so can
+# be left untouched. The other message_filter_* options are only
+# needed if you modify this to do other functions such as deliveries.
+# The main exim documentation is quite thorough and so I see no need
+# to expand it here...
+#
# Any message that matches the filter will then be bounced.
# If you wish you can change the error message by editing it
# in the section above - however be careful you don't break it.
#
#### BASIS
#
-# The regexp that is used to pickup MIME/uuencoded parts is replicated
-# below (in perl format). You need to remember that exim converts
-# newlines to spaces in the message_body variable.
-#
-# (?:Content- # start of content header
-# (?:Type: (?>\s*) # rest of c/t header
-# [\w-]+/[\w-]+ # content-type (any)
-# |Disposition: (?>\s*) # content-disposition hdr
-# attachment) # content-disposition
-# ;(?>\s*) # ; space or newline
-# (?:file)?name= # filename=/name=
-# |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode
-# (\"[^\"]+\. # quoted filename.
-# (?:vb[se] # list of extns
-# |ws[fh]
-# |jse?
-# |exe
-# |com
-# |shs
-# |bat
-# |scr
-# |pif)
-# \" # end quote
-# |[\w.-]+\. # unquoted filename.ext
-# (?:vb[se] # list of extns
-# |ws[fh]
-# |jse?
-# |exe
-# |com
-# |shs
-# |bat
-# |scr
-# |pif)
-# ) # end of filename capture
-# [\s;] # trailing ;/space/newline
+# The regexp that is used to pickup MIME/uuencoded body parts with
+# quoted filenames is replicated below (in perl format).
+# You need to remember that exim converts newlines to spaces in
+# the message_body variable.
+#
+# (?:Content- # start of content header
+# (?:Type: (?>\s*) # rest of c/t header
+# [\w-]+/[\w-]+ # content-type (any)
+# |Disposition: (?>\s*) # content-disposition hdr
+# attachment) # content-disposition
+# ;(?>\s*) # ; space or newline
+# (?:file)?name= # filename=/name=
+# |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode
+# (\"[^\"]+\. # quoted filename.
+# (?:ad[ep] # list of extns
+# |ba[st]
+# |chm
+# |cmd
+# |com
+# |cpl
+# |crt
+# |eml
+# |exe
+# |hlp
+# |hta
+# |in[fs]
+# |isp
+# |jse?
+# |lnk
+# |md[be]
+# |ms[cipt]
+# |pcd
+# |pif)
+# |reg
+# |scr
+# |sct
+# |shs
+# |url
+# |vb[se]
+# |ws[fhc])
+# \" # end quote
+# ) # end of filename capture
+# [\s;] # trailing ;/space/newline
+
#
#
### [End]