updates to filter and news

diff --git a/filter/system_filter.exim b/filter/system_filter.exim
index f8e5fd434ae06f1f11d8b30b3760089699138065..f920ac8ca5a5143a1fd71cc9b43430124296ab1c 100644 (file)
--- a/filter/system_filter.exim
+++ b/filter/system_filter.exim
@@ -1,6 +1,6 @@
 # Exim filter
 # Exim filter

-## Version: 0.12
-#      $Id: system_filter.exim,v 1.2 2001/05/10 11:35:45 nigel Exp $
+## Version: 0.13
+#      $Id: system_filter.exim,v 1.3 2001/05/18 10:28:13 nigel Exp $

 
 ## If you haven't worked with exim filters before, read
 ## the install notes at the end of this file.
 
 ## If you haven't worked with exim filters before, read
 ## the install notes at the end of this file.


@@ -132,6 +132,11 @@ endif
 #      ** Missed changing version number at top of file :-(
 # 0.12 10 May, 2001
 #      Added HTA extension
 #      ** Missed changing version number at top of file :-(
 # 0.12 10 May, 2001
 #      Added HTA extension

+# 0.13 22 May, 2001
+#      Reformatted regexps and code to build them so that they are
+#      shorter than the limits on pre exim 3.20 filters.  This will
+#      make them significantly less efficient, but I am getting so
+#      many queries about this that requiring 3.2x appears unsupportable.

 #
 #### Install Notes
 #
 #
 #### Install Notes
 #

diff --git a/home.html b/home.html
index b411a43f3725b28b82e69eadeda52086c760857e..e3723517cbb2a832a4d849ba00300a38efafa535 100644 (file)
--- a/home.html
+++ b/home.html
@@ -26,6 +26,8 @@
 
     <h2>New Things</h2>
     <ul>
 
     <h2>New Things</h2>
     <ul>

+      <li><strong>Introductory Exim Workshop</strong> is running at Cambridge (UK) on
+       24/25 July 2001.  <a href="http://www-tus.csx.cam.ac.uk/courses/exim/">Full details</a>.</li>

       <li>
        Exim Version 3.22 is available - see the <a
        href="mirrors.html">availability</a> pages to get hold of a
       <li>
        Exim Version 3.22 is available - see the <a
        href="mirrors.html">availability</a> pages to get hold of a


@@ -46,7 +48,7 @@
        HREF="http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61">
        BugTraq article</A>).  It is not infallible, but many sites
        may find it useful.  The file contains installation
        HREF="http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61">
        BugTraq article</A>).  It is not infallible, but many sites
        may find it useful.  The file contains installation

-       instructions.
+       instructions.  Version 0.13 released on 22 May.

       </li>
     </ul>
 
       </li>
     </ul>
 


@@ -59,6 +61,6 @@
     <hr>
     <address><a href="mailto:Postmaster@exim.org">Nigel Metheringham</a></address>
 <!-- Created: Sun May 16 21:43:01 BST 1999 -->
     <hr>
     <address><a href="mailto:Postmaster@exim.org">Nigel Metheringham</a></address>
 <!-- Created: Sun May 16 21:43:01 BST 1999 -->

-    <h6>$Id: home.html,v 1.10 2001/04/24 20:14:42 nigel Exp $</h6>
+    <h6>$Id: home.html,v 1.11 2001/04/24 20:18:00 nigel Exp $</h6>

   </body>
 </html>
   </body>
 </html>

diff --git a/system_filter.exim b/system_filter.exim
index 585316fe78a8dbc8b5de0c4238bc39bbce131f7b..f920ac8ca5a5143a1fd71cc9b43430124296ab1c 100644 (file)
--- a/system_filter.exim
+++ b/system_filter.exim
@@ -1,6 +1,6 @@
 # Exim filter
 # Exim filter

-## Version: 0.12
-#      $Id: system_filter.exim,v 1.4 2001/03/20 21:24:40 nigel Exp $
+## Version: 0.13
+#      $Id: system_filter.exim,v 1.3 2001/05/18 10:28:13 nigel Exp $

 
 ## If you haven't worked with exim filters before, read
 ## the install notes at the end of this file.
 
 ## If you haven't worked with exim filters before, read
 ## the install notes at the end of this file.


@@ -53,11 +53,22 @@ then
 endif
 
 # Look for single part MIME messages with suspicious name extensions
 endif
 
 # Look for single part MIME messages with suspicious name extensions

-# Check Content-Type header [vb2_regexp]
-if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))"
+# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
+if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")"

 then
   fail text "This message has been rejected because it has\n\
 then
   fail text "This message has been rejected because it has\n\

-            \ta potentially executable attachment $1\n\
+            \tpotentially executable content $1\n\
+            \tThis form of attachment has been used by\n\
+             \trecent viruses or other malware.\n\
+            \tIf you meant to send this file then please\n\
+            \tpackage it up as a zip file and resend it."
+  seen finish
+endif
+# same again using unquoted filename [content_type_unquoted_fn_match]
+if $header_content-type: matches "(?:file)?name=([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))"
+then
+  fail text "This message has been rejected because it has\n\
+            \tpotentially executable content $1\n\

             \tThis form of attachment has been used by\n\
              \trecent viruses or other malware.\n\
             \tIf you meant to send this file then please\n\
             \tThis form of attachment has been used by\n\
              \trecent viruses or other malware.\n\
             \tIf you meant to send this file then please\n\


@@ -65,11 +76,23 @@ then
   seen finish
 endif
 
   seen finish
 endif
 

+

 # Attempt to catch embedded VBS attachments
 # in emails.   These were used as the basis for 
 # the ILOVEYOU virus and its variants
 # Attempt to catch embedded VBS attachments
 # in emails.   These were used as the basis for 
 # the ILOVEYOU virus and its variants

-# [vb_regexp]
-if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]"
+# Quoted filename - [body_quoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")[\\\\s;]"
+then
+  fail text "This message has been rejected because it has\n\
+            \ta potentially executable attachment $1\n\
+            \tThis form of attachment has been used by\n\
+             \trecent viruses or other malware.\n\
+            \tIf you meant to send this file then please\n\
+            \tpackage it up as a zip file and resend it."
+  seen finish
+endif
+# same again using unquoted filename [body_unquoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]"

 then
   fail text "This message has been rejected because it has\n\
             \ta potentially executable attachment $1\n\
 then
   fail text "This message has been rejected because it has\n\
             \ta potentially executable attachment $1\n\


@@ -109,6 +132,11 @@ endif
 #      ** Missed changing version number at top of file :-(
 # 0.12 10 May, 2001
 #      Added HTA extension
 #      ** Missed changing version number at top of file :-(
 # 0.12 10 May, 2001
 #      Added HTA extension

+# 0.13 22 May, 2001
+#      Reformatted regexps and code to build them so that they are
+#      shorter than the limits on pre exim 3.20 filters.  This will
+#      make them significantly less efficient, but I am getting so
+#      many queries about this that requiring 3.2x appears unsupportable.

 #
 #### Install Notes
 #
 #
 #### Install Notes
 #