+++ /dev/null
-# Exim filter
-## Version: 0.17
-# $Id: sysfilter.tmpl,v 1.4 2001/09/19 10:19:42 nigel Exp $
-
-## Exim system filter to refuse potentially harmful payloads in
-## mail messages
-## (c) 2000-2001 Nigel Metheringham <nigel@exim.org>
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 2 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-## GNU General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, write to the Free Software
-## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-## -A copy of the GNU General Public License is distributed with exim itself
-
-## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-## If you haven't worked with exim filters before, read
-## the install notes at the end of this file.
-## The install notes are not a replacement for the exim documentation
-## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-
-## -----------------------------------------------------------------------
-# Only run any of this stuff on the first pass through the
-# filter - this is an optomisation for messages that get
-# queued and have several delivery attempts
-#
-# we express this in reverse so we can just bail out
-# on inappropriate messages
-#
-if not first_delivery
-then
- finish
-endif
-
-## -----------------------------------------------------------------------
-# Check for MS buffer overruns as per BUGTRAQ.
-# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
-# This could happen in error messages, hence its placing
-# here...
-# We substract the first n characters of the date header
-# and test if its the same as the date header... which
-# is a lousy way of checking if the date is longer than
-# n chars long
-if ${length_80:$header_date:} is not $header_date:
-then
- fail text "This message has been rejected because it has\n\
- an overlength date field which can be used\n\
- to subvert Microsoft mail programs\n\
- The following URL has further information\n\
- http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
- seen finish
-endif
-
-## -----------------------------------------------------------------------
-# These messages are now being sent with a <> envelope sender, but
-# blocking all error messages that pattern match prevents
-# bounces getting back.... so we fudge it somewhat and check for known
-# header signatures. Other bounces are allowed through.
-if $header_from: contains "@sexyfun.net"
-then
- fail text "This message has been rejected since it has\n\
- the signature of a known virus in the header."
- seen finish
-endif
-if error_message and $header_from: contains "Mailer-Daemon@"
-then
- # looks like a real error message - just ignore it
- finish
-endif
-
-## -----------------------------------------------------------------------
-# Look for single part MIME messages with suspicious name extensions
-# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
-if $header_content-type: matches "[[content_type_quoted_fn_match]]"
-then
- fail text "This message has been rejected because it has\n\
- potentially executable content $1\n\
- This form of attachment has been used by\n\
- recent viruses or other malware.\n\
- If you meant to send this file then please\n\
- package it up as a zip file and resend it."
- seen finish
-endif
-# same again using unquoted filename [content_type_unquoted_fn_match]
-if $header_content-type: matches "[[content_type_unquoted_fn_match]]"
-then
- fail text "This message has been rejected because it has\n\
- potentially executable content $1\n\
- This form of attachment has been used by\n\
- recent viruses or other malware.\n\
- If you meant to send this file then please\n\
- package it up as a zip file and resend it."
- seen finish
-endif
-
-
-## -----------------------------------------------------------------------
-# Attempt to catch embedded VBS attachments
-# in emails. These were used as the basis for
-# the ILOVEYOU virus and its variants - many many varients
-# Quoted filename - [body_quoted_fn_match]
-if $message_body matches "[[body_quoted_fn_match]]"
-then
- fail text "This message has been rejected because it has\n\
- a potentially executable attachment $1\n\
- This form of attachment has been used by\n\
- recent viruses or other malware.\n\
- If you meant to send this file then please\n\
- package it up as a zip file and resend it."
- seen finish
-endif
-# same again using unquoted filename [body_unquoted_fn_match]
-if $message_body matches "[[body_unquoted_fn_match]]"
-then
- fail text "This message has been rejected because it has\n\
- a potentially executable attachment $1\n\
- This form of attachment has been used by\n\
- recent viruses or other malware.\n\
- If you meant to send this file then please\n\
- package it up as a zip file and resend it."
- seen finish
-endif
-## -----------------------------------------------------------------------
-
-
-#### Version history
-#
-# 0.01 5 May 2000
-# Initial release
-# 0.02 8 May 2000
-# Widened list of content-types accepted, added WSF extension
-# 0.03 8 May 2000
-# Embedded the install notes in for those that don't do manuals
-# 0.04 9 May 2000
-# Check global content-type header. Efficiency mods to REs
-# 0.05 9 May 2000
-# More minor efficiency mods, doc changes
-# 0.06 20 June 2000
-# Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
-# 0.07 19 July 2000
-# Latest MS Outhouse bug catching
-# 0.08 19 July 2000
-# Changed trigger length to 80 chars, fixed some spelling
-# 0.09 29 September 2000
-# More extensions... its getting so we should just allow 2 or 3 through
-# 0.10 18 January 2001
-# Removed exclusion for error messages - this is a little nasty
-# since it has other side effects, hence we do still exclude
-# on unix like error messages
-# 0.11 20 March, 2001
-# Added CMD extension, tidied docs slightly, added RCS tag
-# ** Missed changing version number at top of file :-(
-# 0.12 10 May, 2001
-# Added HTA extension
-# 0.13 22 May, 2001
-# Reformatted regexps and code to build them so that they are
-# shorter than the limits on pre exim 3.20 filters. This will
-# make them significantly less efficient, but I am getting so
-# many queries about this that requiring 3.2x appears unsupportable.
-# 0.14 15 August,2001
-# Added .lnk extension - most requested item :-)
-# Reformatted everything so its now built from a set of short
-# library files, cutting down on manual duplication.
-# Changed \w in filename detection to . - dodges locale problems
-# Explicit application of GPL after queries on license status
-# 0.15 17 August, 2001
-# Changed the . in filename detect to \S (stops it going mad)
-# 0.16 19 September, 2001
-# Pile of new extensions including the eml in current use
-# 0.17 19 September, 2001
-# Syntax fix
-#
-#### Install Notes
-#
-# Exim filters run the exim filter language - a very primitive
-# scripting language - in place of a user .forward file, or on
-# a per system basis (on all messages passing through).
-# The filtering capability is documented in the main set of manuals
-# a copy of which can be found on the exim web site
-# http://www.exim.org/
-#
-# To install, copy the filter file (with appropriate permissions)
-# to /etc/exim/system_filter.exim and add to your exim config file
-# [location is installation depedant - typicaly /etc/exim/config ]
-# in the first section the line:-
-# message_filter = /etc/exim/system_filter.exim
-# message_body_visible = 5000
-#
-# You may also want to set the message_filter_user & message_filter_group
-# options, but they default to the standard exim user and so can
-# be left untouched. The other message_filter_* options are only
-# needed if you modify this to do other functions such as deliveries.
-# The main exim documentation is quite thorough and so I see no need
-# to expand it here...
-#
-# Any message that matches the filter will then be bounced.
-# If you wish you can change the error message by editing it
-# in the section above - however be careful you don't break it.
-#
-# After install exim should be restarted - a kill -HUP to the
-# daemon will do this.
-#
-#### LIMITATIONS
-#
-# This filter tries to parse MIME with a regexp... that doesn't
-# work too well. It will also only see the amount of the body
-# specified in message_body_visible
-#
-#### BASIS
-#
-# The regexp that is used to pickup MIME/uuencoded body parts with
-# quoted filenames is replicated below (in perl format).
-# You need to remember that exim converts newlines to spaces in
-# the message_body variable.
-#
-[<body_quoted_fn_match>]
-#
-#
-### [End]