# Exim filter
-## Version: 0.12
-# $Id: system_filter.exim,v 1.2 2001/05/10 11:35:45 nigel Exp $
+## Version: 0.14
+# $Id: system_filter.exim,v 1.4 2001/05/22 08:18:31 nigel Exp $
## If you haven't worked with exim filters before, read
## the install notes at the end of this file.
finish
endif
-# Check for MS buffer overruns as per latest BUGTRAQ.
+## -----------------------------------------------------------------------
+# Check for MS buffer overruns as per BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
if ${length_80:$header_date:} is not $header_date:
then
fail text "This message has been rejected because it has\n\
- \tan overlength date field which can be used\n\
- \tto subvert Microsoft mail programs\n\
- \tThe following URL has further information\n\
- \thttp://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
+ an overlength date field which can be used\n\
+ to subvert Microsoft mail programs\n\
+ The following URL has further information\n\
+ http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
seen finish
endif
-# This is a nasty compromise.
-# This crud is now being sent with a <> envelope sender, but
+## -----------------------------------------------------------------------
+# These messages are now being sent with a <> envelope sender, but
# blocking all error messages that pattern match prevents
-# bounces getting back.... so we fudge it somewhat
+# bounces getting back.... so we fudge it somewhat and check for known
+# header signatures. Other bounces are allowed through.
if $header_from: contains "@sexyfun.net"
then
fail text "This message has been rejected since it has\n\
- \tthe signature of a known virus in the header."
+ the signature of a known virus in the header."
seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
finish
endif
+## -----------------------------------------------------------------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")"
then
fail text "This message has been rejected because it has\n\
- \tpotentially executable content $1\n\
- \tThis form of attachment has been used by\n\
- \trecent viruses or other malware.\n\
- \tIf you meant to send this file then please\n\
- \tpackage it up as a zip file and resend it."
+ potentially executable content $1\n\
+ This form of attachment has been used by\n\
+ recent viruses or other malware.\n\
+ If you meant to send this file then please\n\
+ package it up as a zip file and resend it."
seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))"
then
fail text "This message has been rejected because it has\n\
- \tpotentially executable content $1\n\
- \tThis form of attachment has been used by\n\
- \trecent viruses or other malware.\n\
- \tIf you meant to send this file then please\n\
- \tpackage it up as a zip file and resend it."
+ potentially executable content $1\n\
+ This form of attachment has been used by\n\
+ recent viruses or other malware.\n\
+ If you meant to send this file then please\n\
+ package it up as a zip file and resend it."
seen finish
endif
+## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
-# the ILOVEYOU virus and its variants
+# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
- \ta potentially executable attachment $1\n\
- \tThis form of attachment has been used by\n\
- \trecent viruses or other malware.\n\
- \tIf you meant to send this file then please\n\
- \tpackage it up as a zip file and resend it."
+ a potentially executable attachment $1\n\
+ This form of attachment has been used by\n\
+ recent viruses or other malware.\n\
+ If you meant to send this file then please\n\
+ package it up as a zip file and resend it."
seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
- \ta potentially executable attachment $1\n\
- \tThis form of attachment has been used by\n\
- \trecent viruses or other malware.\n\
- \tIf you meant to send this file then please\n\
- \tpackage it up as a zip file and resend it."
+ a potentially executable attachment $1\n\
+ This form of attachment has been used by\n\
+ recent viruses or other malware.\n\
+ If you meant to send this file then please\n\
+ package it up as a zip file and resend it."
seen finish
endif
+## -----------------------------------------------------------------------
+
#### Version history
#
# ** Missed changing version number at top of file :-(
# 0.12 10 May, 2001
# Added HTA extension
+# 0.13 22 May, 2001
+# Reformatted regexps and code to build them so that they are
+# shorter than the limits on pre exim 3.20 filters. This will
+# make them significantly less efficient, but I am getting so
+# many queries about this that requiring 3.2x appears unsupportable.
#
#### Install Notes
#
# To install, copy the filter file (with appropriate permissions)
# to /etc/exim/system_filter.exim and add to your exim config file
# [location is installation depedant - typicaly /etc/exim/config ]
-# at the top the line:-
+# in the first section the line:-
# message_filter = /etc/exim/system_filter.exim
# message_body_visible = 5000
#
git://git.exim.org / exim-website.git / blobdiff