-# $Id: extension_regexp,v 1.2 2001/08/15 10:01:01 nigel Exp $
+# $Id: extension_regexp,v 1.3 2001/09/19 10:19:42 nigel Exp $
# matches the list of extensions
# uses non-capturing brackets
(?:ad[ep] # list of extns
|md[be]
|ms[cipt]
|pcd
- |pif)
+ |pif
|reg
|scr
|sct
# Exim filter
-## Version: 0.16
-# $Id: sysfilter.tmpl,v 1.3 2001/08/17 12:46:51 nigel Exp $
+## Version: 0.17
+# $Id: sysfilter.tmpl,v 1.4 2001/09/19 10:19:42 nigel Exp $
## Exim system filter to refuse potentially harmful payloads in
## mail messages
# Changed the . in filename detect to \S (stops it going mad)
# 0.16 19 September, 2001
# Pile of new extensions including the eml in current use
+# 0.17 19 September, 2001
+# Syntax fix
#
#### Install Notes
#
# Exim filter
-## Version: 0.16
+## Version: 0.17
# $Id: sysfilter.tmpl,v 1.4 2001/09/19 10:19:42 nigel Exp $
## Exim system filter to refuse potentially harmful payloads in
## -----------------------------------------------------------------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
-if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
+if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
-if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
+if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
-if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
-if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
# Changed the . in filename detect to \S (stops it going mad)
# 0.16 19 September, 2001
# Pile of new extensions including the eml in current use
+# 0.17 19 September, 2001
+# Syntax fix
#
#### Install Notes
#
# |md[be]
# |ms[cipt]
# |pcd
-# |pif)
+# |pif
# |reg
# |scr
# |sct
# Exim filter
-## Version: 0.16
-# $Id: system_filter.exim,v 1.8 2001/09/19 10:20:22 nigel Exp $
+## Version: 0.17
+# $Id: sysfilter.tmpl,v 1.4 2001/09/19 10:19:42 nigel Exp $
## Exim system filter to refuse potentially harmful payloads in
## mail messages
## -----------------------------------------------------------------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
-if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
+if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
-if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
+if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
-if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
-if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
# Changed the . in filename detect to \S (stops it going mad)
# 0.16 19 September, 2001
# Pile of new extensions including the eml in current use
+# 0.17 19 September, 2001
+# Syntax fix
#
#### Install Notes
#
# |md[be]
# |ms[cipt]
# |pcd
-# |pif)
+# |pif
# |reg
# |scr
# |sct
git://git.exim.org / exim-website.git / commitdiff