From: nigel Date: Wed, 15 Aug 2001 10:01:01 +0000 (+0000) Subject: several functional and organisation changes X-Git-Tag: exim-4_70_RC4~128 X-Git-Url: https://git.exim.org/exim-website.git/commitdiff_plain/6b618dd7553a54296b1d6d0d7f1488c9f00e5814 several functional and organisation changes --- diff --git a/filter/body_unquoted_fn_match b/filter/body_unquoted_fn_match index 3e557a1..6623029 100644 --- a/filter/body_unquoted_fn_match +++ b/filter/body_unquoted_fn_match @@ -1,9 +1,9 @@ -# $Id$ +# $Id: body_unquoted_fn_match,v 1.1 2001/05/18 10:28:13 nigel Exp $ # # Match a body attachment with unquoted filename # #include header_regexp - ([\w.-]+\. # unquoted filename.ext + (.+\. # unquoted filename.ext #include extension_regexp ) # end of filename capture [\s;] # trailing ;/space/newline diff --git a/filter/content_type_unquoted_fn_match b/filter/content_type_unquoted_fn_match index f77fdcc..f7dec75 100644 --- a/filter/content_type_unquoted_fn_match +++ b/filter/content_type_unquoted_fn_match @@ -1,8 +1,8 @@ -# $Id$ +# $Id: content_type_unquoted_fn_match,v 1.1 2001/05/18 10:28:13 nigel Exp $ # # Match the content-type header with quoted filename # #include content_type_header - ([\w.-]+\. # unquoted filename.ext + (.+\. # unquoted filename.ext #include extension_regexp ) # end of filename capture diff --git a/filter/extension_regexp b/filter/extension_regexp index f8e2f38..9642500 100644 --- a/filter/extension_regexp +++ b/filter/extension_regexp @@ -1,4 +1,4 @@ -# $Id$ +# $Id: extension_regexp,v 1.1 2001/05/18 10:28:13 nigel Exp $ # matches the list of extensions # uses non-capturing brackets (?:vb[se] # list of extns @@ -11,4 +11,5 @@ |hta |bat |scr + |lnk |pif) diff --git a/filter/mkfilter.pl b/filter/mkfilter.pl new file mode 100644 index 0000000..41dbfbb --- /dev/null +++ b/filter/mkfilter.pl @@ -0,0 +1,74 @@ +#!/usr/bin/perl +# +use strict; +use FileHandle; + + + +sub process_refile { + my $fn = shift; + + my $re; + print STDERR "Opening $fn\n"; + my $fh = FileHandle->new($fn, 'r') || die $!; + while (<$fh>) { + chomp(); + # process includes + if (/^\#include\s/) { + my($junk, $nfn) = split; + $re .= process_refile($nfn); + next; + } + # ignore comments starting at the begining of the line + next if (/^\#/); + # dispose of comments with their leading spaces + s/\s+\#.*$//; + # recode \" -> " + s/\\\"/\"/g; + # double all \ (twice) + s/\\/\\\\/g; + s/\\/\\\\/g; + # escape " again + s/\"/\\\"/g; + # remove all space + s/\s+//g; + # add to re + $re .= $_; + } + return $re; +} + + + +sub process_recfile { + my $fn = shift; + + my $re; + print STDERR "Opening $fn\n"; + my $fh = FileHandle->new($fn, 'r') || die $!; + while (<$fh>) { + chomp(); + # process includes + if (/^\#include\s/) { + my($junk, $nfn) = split; + $re .= process_recfile($nfn); + next; + } + # skip comment only and blank lines + next if (/^\#/); + next if (/^\s*$/); + $re .= "#\t$_\n"; + } + return $re; +} + + + +# main +{ + while(<>) { + s/\[\[([a-z0-9_]+)\]\]/process_refile($1)/ge; + s/\[\<([a-z0-9_]+)\>\]/process_recfile($1)/ge; + print; + } +} diff --git a/filter/sysfilter.tmpl b/filter/sysfilter.tmpl new file mode 100644 index 0000000..3d22546 --- /dev/null +++ b/filter/sysfilter.tmpl @@ -0,0 +1,222 @@ +# Exim filter +## Version: 0.14 +# $Id: system_filter.exim,v 1.4 2001/05/22 08:18:31 nigel Exp $ + +## Exim system filter to refuse potentially harmful payloads in +## mail messages +## (c) 2000-2001 Nigel Metheringham +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +## -A copy of the GNU General Public License is distributed with exim itself + +## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +## If you haven't worked with exim filters before, read +## the install notes at the end of this file. +## The install notes are not a replacement for the exim documentation +## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + +## ----------------------------------------------------------------------- +# Only run any of this stuff on the first pass through the +# filter - this is an optomisation for messages that get +# queued and have several delivery attempts +# +# we express this in reverse so we can just bail out +# on inappropriate messages +# +if not first_delivery +then + finish +endif + +## ----------------------------------------------------------------------- +# Check for MS buffer overruns as per BUGTRAQ. +# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61 +# This could happen in error messages, hence its placing +# here... +# We substract the first n characters of the date header +# and test if its the same as the date header... which +# is a lousy way of checking if the date is longer than +# n chars long +if ${length_80:$header_date:} is not $header_date: +then + fail text "This message has been rejected because it has\n\ + an overlength date field which can be used\n\ + to subvert Microsoft mail programs\n\ + The following URL has further information\n\ + http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61" + seen finish +endif + +## ----------------------------------------------------------------------- +# These messages are now being sent with a <> envelope sender, but +# blocking all error messages that pattern match prevents +# bounces getting back.... so we fudge it somewhat and check for known +# header signatures. Other bounces are allowed through. +if $header_from: contains "@sexyfun.net" +then + fail text "This message has been rejected since it has\n\ + the signature of a known virus in the header." + seen finish +endif +if error_message and $header_from: contains "Mailer-Daemon@" +then + # looks like a real error message - just ignore it + finish +endif + +## ----------------------------------------------------------------------- +# Look for single part MIME messages with suspicious name extensions +# Check Content-Type header using quoted filename [content_type_quoted_fn_match] +if $header_content-type: matches "[[content_type_quoted_fn_match]]" +then + fail text "This message has been rejected because it has\n\ + potentially executable content $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." + seen finish +endif +# same again using unquoted filename [content_type_unquoted_fn_match] +if $header_content-type: matches "[[content_type_unquoted_fn_match]]" +then + fail text "This message has been rejected because it has\n\ + potentially executable content $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." + seen finish +endif + + +## ----------------------------------------------------------------------- +# Attempt to catch embedded VBS attachments +# in emails. These were used as the basis for +# the ILOVEYOU virus and its variants - many many varients +# Quoted filename - [body_quoted_fn_match] +if $message_body matches "[[body_quoted_fn_match]]" +then + fail text "This message has been rejected because it has\n\ + a potentially executable attachment $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." + seen finish +endif +# same again using unquoted filename [body_unquoted_fn_match] +if $message_body matches "[[body_unquoted_fn_match]]" +then + fail text "This message has been rejected because it has\n\ + a potentially executable attachment $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." + seen finish +endif +## ----------------------------------------------------------------------- + + +#### Version history +# +# 0.01 5 May 2000 +# Initial release +# 0.02 8 May 2000 +# Widened list of content-types accepted, added WSF extension +# 0.03 8 May 2000 +# Embedded the install notes in for those that don't do manuals +# 0.04 9 May 2000 +# Check global content-type header. Efficiency mods to REs +# 0.05 9 May 2000 +# More minor efficiency mods, doc changes +# 0.06 20 June 2000 +# Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan +# 0.07 19 July 2000 +# Latest MS Outhouse bug catching +# 0.08 19 July 2000 +# Changed trigger length to 80 chars, fixed some spelling +# 0.09 29 September 2000 +# More extensions... its getting so we should just allow 2 or 3 through +# 0.10 18 January 2001 +# Removed exclusion for error messages - this is a little nasty +# since it has other side effects, hence we do still exclude +# on unix like error messages +# 0.11 20 March, 2001 +# Added CMD extension, tidied docs slightly, added RCS tag +# ** Missed changing version number at top of file :-( +# 0.12 10 May, 2001 +# Added HTA extension +# 0.13 22 May, 2001 +# Reformatted regexps and code to build them so that they are +# shorter than the limits on pre exim 3.20 filters. This will +# make them significantly less efficient, but I am getting so +# many queries about this that requiring 3.2x appears unsupportable. +# 0.14 15 August,2001 +# Added .lnk extension - most requested item :-) +# Reformatted everything so its now built from a set of short +# library files, cutting down on manual duplication. +# Changed \w in filename detection to . - dodges locale problems +# Explicit application of GPL after queries on license status +# +#### Install Notes +# +# Exim filters run the exim filter language - a very primitive +# scripting language - in place of a user .forward file, or on +# a per system basis (on all messages passing through). +# The filtering capability is documented in the main set of manuals +# a copy of which can be found on the exim web site +# http://www.exim.org/ +# +# To install, copy the filter file (with appropriate permissions) +# to /etc/exim/system_filter.exim and add to your exim config file +# [location is installation depedant - typicaly /etc/exim/config ] +# in the first section the line:- +# message_filter = /etc/exim/system_filter.exim +# message_body_visible = 5000 +# +# You may also want to set the message_filter_user & message_filter_group +# options, but they default to the standard exim user and so can +# be left untouched. The other message_filter_* options are only +# needed if you modify this to do other functions such as deliveries. +# The main exim documentation is quite thorough and so I see no need +# to expand it here... +# +# Any message that matches the filter will then be bounced. +# If you wish you can change the error message by editing it +# in the section above - however be careful you don't break it. +# +# After install exim should be restarted - a kill -HUP to the +# daemon will do this. +# +#### LIMITATIONS +# +# This filter tries to parse MIME with a regexp... that doesn't +# work too well. It will also only see the amount of the body +# specified in message_body_visible +# +#### BASIS +# +# The regexp that is used to pickup MIME/uuencoded body parts with +# quoted filenames is replicated below (in perl format). +# You need to remember that exim converts newlines to spaces in +# the message_body variable. +# +[] +# +# +### [End] diff --git a/filter/system_filter.exim b/filter/system_filter.exim index f920ac8..ecef5b6 100644 --- a/filter/system_filter.exim +++ b/filter/system_filter.exim @@ -1,6 +1,6 @@ # Exim filter -## Version: 0.13 -# $Id: system_filter.exim,v 1.3 2001/05/18 10:28:13 nigel Exp $ +## Version: 0.14 +# $Id: system_filter.exim,v 1.4 2001/05/22 08:18:31 nigel Exp $ ## If you haven't worked with exim filters before, read ## the install notes at the end of this file. @@ -18,7 +18,8 @@ then finish endif -# Check for MS buffer overruns as per latest BUGTRAQ. +## ----------------------------------------------------------------------- +# Check for MS buffer overruns as per BUGTRAQ. # http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61 # This could happen in error messages, hence its placing # here... @@ -29,21 +30,22 @@ endif if ${length_80:$header_date:} is not $header_date: then fail text "This message has been rejected because it has\n\ - \tan overlength date field which can be used\n\ - \tto subvert Microsoft mail programs\n\ - \tThe following URL has further information\n\ - \thttp://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61" + an overlength date field which can be used\n\ + to subvert Microsoft mail programs\n\ + The following URL has further information\n\ + http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61" seen finish endif -# This is a nasty compromise. -# This crud is now being sent with a <> envelope sender, but +## ----------------------------------------------------------------------- +# These messages are now being sent with a <> envelope sender, but # blocking all error messages that pattern match prevents -# bounces getting back.... so we fudge it somewhat +# bounces getting back.... so we fudge it somewhat and check for known +# header signatures. Other bounces are allowed through. if $header_from: contains "@sexyfun.net" then fail text "This message has been rejected since it has\n\ - \tthe signature of a known virus in the header." + the signature of a known virus in the header." seen finish endif if error_message and $header_from: contains "Mailer-Daemon@" @@ -52,56 +54,60 @@ then finish endif +## ----------------------------------------------------------------------- # Look for single part MIME messages with suspicious name extensions # Check Content-Type header using quoted filename [content_type_quoted_fn_match] if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")" then fail text "This message has been rejected because it has\n\ - \tpotentially executable content $1\n\ - \tThis form of attachment has been used by\n\ - \trecent viruses or other malware.\n\ - \tIf you meant to send this file then please\n\ - \tpackage it up as a zip file and resend it." + potentially executable content $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." seen finish endif # same again using unquoted filename [content_type_unquoted_fn_match] if $header_content-type: matches "(?:file)?name=([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))" then fail text "This message has been rejected because it has\n\ - \tpotentially executable content $1\n\ - \tThis form of attachment has been used by\n\ - \trecent viruses or other malware.\n\ - \tIf you meant to send this file then please\n\ - \tpackage it up as a zip file and resend it." + potentially executable content $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." seen finish endif +## ----------------------------------------------------------------------- # Attempt to catch embedded VBS attachments # in emails. These were used as the basis for -# the ILOVEYOU virus and its variants +# the ILOVEYOU virus and its variants - many many varients # Quoted filename - [body_quoted_fn_match] if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")[\\\\s;]" then fail text "This message has been rejected because it has\n\ - \ta potentially executable attachment $1\n\ - \tThis form of attachment has been used by\n\ - \trecent viruses or other malware.\n\ - \tIf you meant to send this file then please\n\ - \tpackage it up as a zip file and resend it." + a potentially executable attachment $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." seen finish endif # same again using unquoted filename [body_unquoted_fn_match] if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]" then fail text "This message has been rejected because it has\n\ - \ta potentially executable attachment $1\n\ - \tThis form of attachment has been used by\n\ - \trecent viruses or other malware.\n\ - \tIf you meant to send this file then please\n\ - \tpackage it up as a zip file and resend it." + a potentially executable attachment $1\n\ + This form of attachment has been used by\n\ + recent viruses or other malware.\n\ + If you meant to send this file then please\n\ + package it up as a zip file and resend it." seen finish endif +## ----------------------------------------------------------------------- + #### Version history # @@ -150,7 +156,7 @@ endif # To install, copy the filter file (with appropriate permissions) # to /etc/exim/system_filter.exim and add to your exim config file # [location is installation depedant - typicaly /etc/exim/config ] -# at the top the line:- +# in the first section the line:- # message_filter = /etc/exim/system_filter.exim # message_body_visible = 5000 #