X-Git-Url: https://git.exim.org/exim-website.git/blobdiff_plain/882a0c8486fccec5f4fd593f20a74d7f429ef6bb..84d813c6155771aa25b43fedf5ca0f96e115a778:/filter/system_filter.exim diff --git a/filter/system_filter.exim b/filter/system_filter.exim index 585316f..f8e5fd4 100644 --- a/filter/system_filter.exim +++ b/filter/system_filter.exim @@ -1,6 +1,6 @@ # Exim filter ## Version: 0.12 -# $Id: system_filter.exim,v 1.4 2001/03/20 21:24:40 nigel Exp $ +# $Id: system_filter.exim,v 1.2 2001/05/10 11:35:45 nigel Exp $ ## If you haven't worked with exim filters before, read ## the install notes at the end of this file. @@ -53,11 +53,22 @@ then endif # Look for single part MIME messages with suspicious name extensions -# Check Content-Type header [vb2_regexp] -if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))" +# Check Content-Type header using quoted filename [content_type_quoted_fn_match] +if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")" then fail text "This message has been rejected because it has\n\ - \ta potentially executable attachment $1\n\ + \tpotentially executable content $1\n\ + \tThis form of attachment has been used by\n\ + \trecent viruses or other malware.\n\ + \tIf you meant to send this file then please\n\ + \tpackage it up as a zip file and resend it." + seen finish +endif +# same again using unquoted filename [content_type_unquoted_fn_match] +if $header_content-type: matches "(?:file)?name=([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))" +then + fail text "This message has been rejected because it has\n\ + \tpotentially executable content $1\n\ \tThis form of attachment has been used by\n\ \trecent viruses or other malware.\n\ \tIf you meant to send this file then please\n\ @@ -65,11 +76,23 @@ then seen finish endif + # Attempt to catch embedded VBS attachments # in emails. These were used as the basis for # the ILOVEYOU virus and its variants -# [vb_regexp] -if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]" +# Quoted filename - [body_quoted_fn_match] +if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")[\\\\s;]" +then + fail text "This message has been rejected because it has\n\ + \ta potentially executable attachment $1\n\ + \tThis form of attachment has been used by\n\ + \trecent viruses or other malware.\n\ + \tIf you meant to send this file then please\n\ + \tpackage it up as a zip file and resend it." + seen finish +endif +# same again using unquoted filename [body_unquoted_fn_match] +if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]" then fail text "This message has been rejected because it has\n\ \ta potentially executable attachment $1\n\