X-Git-Url: https://git.exim.org/exim-website.git/blobdiff_plain/cca3dd4c3a1a143148d108aa43098f367dd017ab..9f3b9be3d3ec0d20b04341f4c36f44657e931b42:/system_filter.exim diff --git a/system_filter.exim b/system_filter.exim index 18a4756..e91a880 100644 --- a/system_filter.exim +++ b/system_filter.exim @@ -1,10 +1,34 @@ # Exim filter -## Version: 0.09 +## Version: 0.17 +# $Id: sysfilter.tmpl,v 1.4 2001/09/19 10:19:42 nigel Exp $ +## Exim system filter to refuse potentially harmful payloads in +## mail messages +## (c) 2000-2001 Nigel Metheringham +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +## -A copy of the GNU General Public License is distributed with exim itself + +## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ## If you haven't worked with exim filters before, read ## the install notes at the end of this file. +## The install notes are not a replacement for the exim documentation +## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# + +## ----------------------------------------------------------------------- # Only run any of this stuff on the first pass through the # filter - this is an optomisation for messages that get # queued and have several delivery attempts @@ -17,7 +41,8 @@ then finish endif -# Check for MS buffer overruns as per latest BUGTRAQ. +## ----------------------------------------------------------------------- +# Check for MS buffer overruns as per BUGTRAQ. # http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61 # This could happen in error messages, hence its placing # here... @@ -28,48 +53,84 @@ endif if ${length_80:$header_date:} is not $header_date: then fail text "This message has been rejected because it has\n\ - \tan overlength date field which can be used\n\ - \tto subvert Microsoft mail programs\n\ - \tThe following URL has further information\n\ - \thttp://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61" + an overlength date field which can be used\n\ + to subvert Microsoft mail programs\n\ + The following URL has further information\n\ + http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61" seen finish endif -# drop out error messages here -if error_message +## ----------------------------------------------------------------------- +# These messages are now being sent with a <> envelope sender, but +# blocking all error messages that pattern match prevents +# bounces getting back.... so we fudge it somewhat and check for known +# header signatures. Other bounces are allowed through. +if $header_from: contains "@sexyfun.net" +then + fail text "This message has been rejected since it has\n\ + the signature of a known virus in the header." + seen finish +endif +if error_message and $header_from: contains "Mailer-Daemon@" then + # looks like a real error message - just ignore it finish endif +## ----------------------------------------------------------------------- # Look for single part MIME messages with suspicious name extensions -# Check Content-Type header [vb2_regexp] -if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))" +# Check Content-Type header using quoted filename [content_type_quoted_fn_match] +if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" +then + fail text "This message has been rejected because it has\n\ + potentially executable content $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." + seen finish +endif +# same again using unquoted filename [content_type_unquoted_fn_match] +if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))" then fail text "This message has been rejected because it has\n\ - \ta potentially executable attachment $1\n\ - \tThis form of attachment has been used by\n\ - \trecent viruses such as that described in\n\ - \thttp://www.fsecure.com/v-descs/love.htm\n\ - \tIf you meant to send this file then please\n\ - \tpackage it up as a zip file and resend it." + potentially executable content $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." seen finish endif + +## ----------------------------------------------------------------------- # Attempt to catch embedded VBS attachments # in emails. These were used as the basis for -# the ILOVEYOU virus and its variants -# [vb_regexp] -if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]" +# the ILOVEYOU virus and its variants - many many varients +# Quoted filename - [body_quoted_fn_match] +if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]" +then + fail text "This message has been rejected because it has\n\ + a potentially executable attachment $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." + seen finish +endif +# same again using unquoted filename [body_unquoted_fn_match] +if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]" then fail text "This message has been rejected because it has\n\ - \ta potentially executable attachment $1\n\ - \tThis form of attachment has been used by\n\ - \trecent viruses such as that described in\n\ - \thttp://www.fsecure.com/v-descs/love.htm\n\ - \tIf you meant to send this file then please\n\ - \tpackage it up as a zip file and resend it." + a potentially executable attachment $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." seen finish endif +## ----------------------------------------------------------------------- + #### Version history # @@ -91,6 +152,32 @@ endif # Changed trigger length to 80 chars, fixed some spelling # 0.09 29 September 2000 # More extensions... its getting so we should just allow 2 or 3 through +# 0.10 18 January 2001 +# Removed exclusion for error messages - this is a little nasty +# since it has other side effects, hence we do still exclude +# on unix like error messages +# 0.11 20 March, 2001 +# Added CMD extension, tidied docs slightly, added RCS tag +# ** Missed changing version number at top of file :-( +# 0.12 10 May, 2001 +# Added HTA extension +# 0.13 22 May, 2001 +# Reformatted regexps and code to build them so that they are +# shorter than the limits on pre exim 3.20 filters. This will +# make them significantly less efficient, but I am getting so +# many queries about this that requiring 3.2x appears unsupportable. +# 0.14 15 August,2001 +# Added .lnk extension - most requested item :-) +# Reformatted everything so its now built from a set of short +# library files, cutting down on manual duplication. +# Changed \w in filename detection to . - dodges locale problems +# Explicit application of GPL after queries on license status +# 0.15 17 August, 2001 +# Changed the . in filename detect to \S (stops it going mad) +# 0.16 19 September, 2001 +# Pile of new extensions including the eml in current use +# 0.17 19 September, 2001 +# Syntax fix # #### Install Notes # @@ -104,10 +191,17 @@ endif # To install, copy the filter file (with appropriate permissions) # to /etc/exim/system_filter.exim and add to your exim config file # [location is installation depedant - typicaly /etc/exim/config ] -# at the top the line:- +# in the first section the line:- # message_filter = /etc/exim/system_filter.exim # message_body_visible = 5000 # +# You may also want to set the message_filter_user & message_filter_group +# options, but they default to the standard exim user and so can +# be left untouched. The other message_filter_* options are only +# needed if you modify this to do other functions such as deliveries. +# The main exim documentation is quite thorough and so I see no need +# to expand it here... +# # Any message that matches the filter will then be bounced. # If you wish you can change the error message by editing it # in the section above - however be careful you don't break it. @@ -123,41 +217,50 @@ endif # #### BASIS # -# The regexp that is used to pickup MIME/uuencoded parts is replicated -# below (in perl format). You need to remember that exim converts -# newlines to spaces in the message_body variable. -# -# (?:Content- # start of content header -# (?:Type: (?>\s*) # rest of c/t header -# [\w-]+/[\w-]+ # content-type (any) -# |Disposition: (?>\s*) # content-disposition hdr -# attachment) # content-disposition -# ;(?>\s*) # ; space or newline -# (?:file)?name= # filename=/name= -# |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode -# (\"[^\"]+\. # quoted filename. -# (?:vb[se] # list of extns -# |ws[fh] -# |jse? -# |exe -# |com -# |shs -# |bat -# |scr -# |pif) -# \" # end quote -# |[\w.-]+\. # unquoted filename.ext -# (?:vb[se] # list of extns -# |ws[fh] -# |jse? -# |exe -# |com -# |shs -# |bat -# |scr -# |pif) -# ) # end of filename capture -# [\s;] # trailing ;/space/newline +# The regexp that is used to pickup MIME/uuencoded body parts with +# quoted filenames is replicated below (in perl format). +# You need to remember that exim converts newlines to spaces in +# the message_body variable. +# +# (?:Content- # start of content header +# (?:Type: (?>\s*) # rest of c/t header +# [\w-]+/[\w-]+ # content-type (any) +# |Disposition: (?>\s*) # content-disposition hdr +# attachment) # content-disposition +# ;(?>\s*) # ; space or newline +# (?:file)?name= # filename=/name= +# |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode +# (\"[^\"]+\. # quoted filename. +# (?:ad[ep] # list of extns +# |ba[st] +# |chm +# |cmd +# |com +# |cpl +# |crt +# |eml +# |exe +# |hlp +# |hta +# |in[fs] +# |isp +# |jse? +# |lnk +# |md[be] +# |ms[cipt] +# |pcd +# |pif +# |reg +# |scr +# |sct +# |shs +# |url +# |vb[se] +# |ws[fhc]) +# \" # end quote +# ) # end of filename capture +# [\s;] # trailing ;/space/newline + # # ### [End]