X-Git-Url: https://git.exim.org/exim-website.git/blobdiff_plain/4207b679dad08cfcefbfb3f860bbc7bddbbdfa1e..db453be35770dec364921a866b0874bc59f4d082:/system_filter.exim?ds=sidebyside

diff --git a/system_filter.exim b/system_filter.exim
index abbd023..f920ac8 100644
--- a/system_filter.exim
+++ b/system_filter.exim
@@ -1,5 +1,6 @@
 # Exim filter
-## Version: 0.10
+## Version: 0.13
+#	$Id: system_filter.exim,v 1.3 2001/05/18 10:28:13 nigel Exp $
 
 ## If you haven't worked with exim filters before, read
 ## the install notes at the end of this file.
@@ -52,30 +53,51 @@ then
 endif
 
 # Look for single part MIME messages with suspicious name extensions
-# Check Content-Type header [vb2_regexp]
-if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))"
+# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
+if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")"
 then
   fail text "This message has been rejected because it has\n\
-	     \ta potentially executable attachment $1\n\
+	     \tpotentially executable content $1\n\
 	     \tThis form of attachment has been used by\n\
-             \trecent viruses such as that described in\n\
-	     \thttp://www.fsecure.com/v-descs/love.htm\n\
+             \trecent viruses or other malware.\n\
 	     \tIf you meant to send this file then please\n\
 	     \tpackage it up as a zip file and resend it."
   seen finish
 endif
+# same again using unquoted filename [content_type_unquoted_fn_match]
+if $header_content-type: matches "(?:file)?name=([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))"
+then
+  fail text "This message has been rejected because it has\n\
+	     \tpotentially executable content $1\n\
+	     \tThis form of attachment has been used by\n\
+             \trecent viruses or other malware.\n\
+	     \tIf you meant to send this file then please\n\
+	     \tpackage it up as a zip file and resend it."
+  seen finish
+endif
+
 
 # Attempt to catch embedded VBS attachments
 # in emails.   These were used as the basis for 
 # the ILOVEYOU virus and its variants
-# [vb_regexp]
-if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
+# Quoted filename - [body_quoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")[\\\\s;]"
 then
   fail text "This message has been rejected because it has\n\
 	     \ta potentially executable attachment $1\n\
 	     \tThis form of attachment has been used by\n\
-             \trecent viruses such as that described in\n\
-	     \thttp://www.fsecure.com/v-descs/love.htm\n\
+             \trecent viruses or other malware.\n\
+	     \tIf you meant to send this file then please\n\
+	     \tpackage it up as a zip file and resend it."
+  seen finish
+endif
+# same again using unquoted filename [body_unquoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]"
+then
+  fail text "This message has been rejected because it has\n\
+	     \ta potentially executable attachment $1\n\
+	     \tThis form of attachment has been used by\n\
+             \trecent viruses or other malware.\n\
 	     \tIf you meant to send this file then please\n\
 	     \tpackage it up as a zip file and resend it."
   seen finish
@@ -105,6 +127,16 @@ endif
 #	Removed exclusion for error messages - this is a little nasty
 #	since it has other side effects, hence we do still exclude
 #	on unix like error messages
+# 0.11 20 March, 2001
+#	Added CMD extension, tidied docs slightly, added RCS tag
+#	** Missed changing version number at top of file :-(
+# 0.12 10 May, 2001
+#	Added HTA extension
+# 0.13 22 May, 2001
+#	Reformatted regexps and code to build them so that they are
+#	shorter than the limits on pre exim 3.20 filters.  This will
+#	make them significantly less efficient, but I am getting so
+#	many queries about this that requiring 3.2x appears unsupportable.
 #
 #### Install Notes
 #
@@ -122,6 +154,13 @@ endif
 #	message_filter = /etc/exim/system_filter.exim
 #	message_body_visible = 5000
 #
+# You may also want to set the message_filter_user & message_filter_group
+# options, but they default to the standard exim user and so can
+# be left untouched.  The other message_filter_* options are only
+# needed if you modify this to do other functions such as deliveries.
+# The main exim documentation is quite thorough and so I see no need
+# to expand it here...
+#
 # Any message that matches the filter will then be bounced.
 # If you wish you can change the error message by editing it
 # in the section above - however be careful you don't break it.
@@ -155,7 +194,9 @@ endif
 #	|jse?
 #	|exe
 #	|com
+#	|cmd
 #	|shs
+#	|hta
 #	|bat
 #	|scr
 #	|pif)
@@ -166,7 +207,9 @@ endif
 #	|jse?
 #	|exe
 #	|com
+#	|cmd
 #	|shs
+#	|hta
 #	|bat
 #	|scr
 #	|pif)