X-Git-Url: https://git.exim.org/exim-website.git/blobdiff_plain/6bdb21b01af323e2241ffe3121f37d841d978cbd..3f9d04f65f347a9c6a35e0ce5b8cd838d66da7c6:/system_filter.exim diff --git a/system_filter.exim b/system_filter.exim deleted file mode 100644 index e91a880..0000000 --- a/system_filter.exim +++ /dev/null @@ -1,266 +0,0 @@ -# Exim filter -## Version: 0.17 -# $Id: sysfilter.tmpl,v 1.4 2001/09/19 10:19:42 nigel Exp $ - -## Exim system filter to refuse potentially harmful payloads in -## mail messages -## (c) 2000-2001 Nigel Metheringham -## -## This program is free software; you can redistribute it and/or modify -## it under the terms of the GNU General Public License as published by -## the Free Software Foundation; either version 2 of the License, or -## (at your option) any later version. -## -## This program is distributed in the hope that it will be useful, -## but WITHOUT ANY WARRANTY; without even the implied warranty of -## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -## GNU General Public License for more details. -## -## You should have received a copy of the GNU General Public License -## along with this program; if not, write to the Free Software -## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -## -A copy of the GNU General Public License is distributed with exim itself - -## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -## If you haven't worked with exim filters before, read -## the install notes at the end of this file. -## The install notes are not a replacement for the exim documentation -## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - -## ----------------------------------------------------------------------- -# Only run any of this stuff on the first pass through the -# filter - this is an optomisation for messages that get -# queued and have several delivery attempts -# -# we express this in reverse so we can just bail out -# on inappropriate messages -# -if not first_delivery -then - finish -endif - -## ----------------------------------------------------------------------- -# Check for MS buffer overruns as per BUGTRAQ. -# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61 -# This could happen in error messages, hence its placing -# here... -# We substract the first n characters of the date header -# and test if its the same as the date header... which -# is a lousy way of checking if the date is longer than -# n chars long -if ${length_80:$header_date:} is not $header_date: -then - fail text "This message has been rejected because it has\n\ - an overlength date field which can be used\n\ - to subvert Microsoft mail programs\n\ - The following URL has further information\n\ - http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61" - seen finish -endif - -## ----------------------------------------------------------------------- -# These messages are now being sent with a <> envelope sender, but -# blocking all error messages that pattern match prevents -# bounces getting back.... so we fudge it somewhat and check for known -# header signatures. Other bounces are allowed through. -if $header_from: contains "@sexyfun.net" -then - fail text "This message has been rejected since it has\n\ - the signature of a known virus in the header." - seen finish -endif -if error_message and $header_from: contains "Mailer-Daemon@" -then - # looks like a real error message - just ignore it - finish -endif - -## ----------------------------------------------------------------------- -# Look for single part MIME messages with suspicious name extensions -# Check Content-Type header using quoted filename [content_type_quoted_fn_match] -if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" -then - fail text "This message has been rejected because it has\n\ - potentially executable content $1\n\ - This form of attachment has been used by\n\ - recent viruses or other malware.\n\ - If you meant to send this file then please\n\ - package it up as a zip file and resend it." - seen finish -endif -# same again using unquoted filename [content_type_unquoted_fn_match] -if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))" -then - fail text "This message has been rejected because it has\n\ - potentially executable content $1\n\ - This form of attachment has been used by\n\ - recent viruses or other malware.\n\ - If you meant to send this file then please\n\ - package it up as a zip file and resend it." - seen finish -endif - - -## ----------------------------------------------------------------------- -# Attempt to catch embedded VBS attachments -# in emails. These were used as the basis for -# the ILOVEYOU virus and its variants - many many varients -# Quoted filename - [body_quoted_fn_match] -if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]" -then - fail text "This message has been rejected because it has\n\ - a potentially executable attachment $1\n\ - This form of attachment has been used by\n\ - recent viruses or other malware.\n\ - If you meant to send this file then please\n\ - package it up as a zip file and resend it." - seen finish -endif -# same again using unquoted filename [body_unquoted_fn_match] -if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]" -then - fail text "This message has been rejected because it has\n\ - a potentially executable attachment $1\n\ - This form of attachment has been used by\n\ - recent viruses or other malware.\n\ - If you meant to send this file then please\n\ - package it up as a zip file and resend it." - seen finish -endif -## ----------------------------------------------------------------------- - - -#### Version history -# -# 0.01 5 May 2000 -# Initial release -# 0.02 8 May 2000 -# Widened list of content-types accepted, added WSF extension -# 0.03 8 May 2000 -# Embedded the install notes in for those that don't do manuals -# 0.04 9 May 2000 -# Check global content-type header. Efficiency mods to REs -# 0.05 9 May 2000 -# More minor efficiency mods, doc changes -# 0.06 20 June 2000 -# Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan -# 0.07 19 July 2000 -# Latest MS Outhouse bug catching -# 0.08 19 July 2000 -# Changed trigger length to 80 chars, fixed some spelling -# 0.09 29 September 2000 -# More extensions... its getting so we should just allow 2 or 3 through -# 0.10 18 January 2001 -# Removed exclusion for error messages - this is a little nasty -# since it has other side effects, hence we do still exclude -# on unix like error messages -# 0.11 20 March, 2001 -# Added CMD extension, tidied docs slightly, added RCS tag -# ** Missed changing version number at top of file :-( -# 0.12 10 May, 2001 -# Added HTA extension -# 0.13 22 May, 2001 -# Reformatted regexps and code to build them so that they are -# shorter than the limits on pre exim 3.20 filters. This will -# make them significantly less efficient, but I am getting so -# many queries about this that requiring 3.2x appears unsupportable. -# 0.14 15 August,2001 -# Added .lnk extension - most requested item :-) -# Reformatted everything so its now built from a set of short -# library files, cutting down on manual duplication. -# Changed \w in filename detection to . - dodges locale problems -# Explicit application of GPL after queries on license status -# 0.15 17 August, 2001 -# Changed the . in filename detect to \S (stops it going mad) -# 0.16 19 September, 2001 -# Pile of new extensions including the eml in current use -# 0.17 19 September, 2001 -# Syntax fix -# -#### Install Notes -# -# Exim filters run the exim filter language - a very primitive -# scripting language - in place of a user .forward file, or on -# a per system basis (on all messages passing through). -# The filtering capability is documented in the main set of manuals -# a copy of which can be found on the exim web site -# http://www.exim.org/ -# -# To install, copy the filter file (with appropriate permissions) -# to /etc/exim/system_filter.exim and add to your exim config file -# [location is installation depedant - typicaly /etc/exim/config ] -# in the first section the line:- -# message_filter = /etc/exim/system_filter.exim -# message_body_visible = 5000 -# -# You may also want to set the message_filter_user & message_filter_group -# options, but they default to the standard exim user and so can -# be left untouched. The other message_filter_* options are only -# needed if you modify this to do other functions such as deliveries. -# The main exim documentation is quite thorough and so I see no need -# to expand it here... -# -# Any message that matches the filter will then be bounced. -# If you wish you can change the error message by editing it -# in the section above - however be careful you don't break it. -# -# After install exim should be restarted - a kill -HUP to the -# daemon will do this. -# -#### LIMITATIONS -# -# This filter tries to parse MIME with a regexp... that doesn't -# work too well. It will also only see the amount of the body -# specified in message_body_visible -# -#### BASIS -# -# The regexp that is used to pickup MIME/uuencoded body parts with -# quoted filenames is replicated below (in perl format). -# You need to remember that exim converts newlines to spaces in -# the message_body variable. -# -# (?:Content- # start of content header -# (?:Type: (?>\s*) # rest of c/t header -# [\w-]+/[\w-]+ # content-type (any) -# |Disposition: (?>\s*) # content-disposition hdr -# attachment) # content-disposition -# ;(?>\s*) # ; space or newline -# (?:file)?name= # filename=/name= -# |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode -# (\"[^\"]+\. # quoted filename. -# (?:ad[ep] # list of extns -# |ba[st] -# |chm -# |cmd -# |com -# |cpl -# |crt -# |eml -# |exe -# |hlp -# |hta -# |in[fs] -# |isp -# |jse? -# |lnk -# |md[be] -# |ms[cipt] -# |pcd -# |pif -# |reg -# |scr -# |sct -# |shs -# |url -# |vb[se] -# |ws[fhc]) -# \" # end quote -# ) # end of filename capture -# [\s;] # trailing ;/space/newline - -# -# -### [End]