From 4c51cef59384b27d3d397cc897118de32c4f7650 Mon Sep 17 00:00:00 2001 From: nigel Date: Wed, 19 Sep 2001 10:19:42 +0000 Subject: [PATCH] updates --- filter/extension_regexp | 33 ++++++++++++++++++++-------- filter/sysfilter.tmpl | 8 ++++--- filter/system_filter.exim | 46 ++++++++++++++++++++++++++------------- 3 files changed, 60 insertions(+), 27 deletions(-) diff --git a/filter/extension_regexp b/filter/extension_regexp index 9642500..2dcf41a 100644 --- a/filter/extension_regexp +++ b/filter/extension_regexp @@ -1,15 +1,30 @@ -# $Id: extension_regexp,v 1.1 2001/05/18 10:28:13 nigel Exp $ +# $Id: extension_regexp,v 1.2 2001/08/15 10:01:01 nigel Exp $ # matches the list of extensions # uses non-capturing brackets - (?:vb[se] # list of extns - |ws[fh] - |jse? - |exe - |com + (?:ad[ep] # list of extns + |ba[st] + |chm |cmd - |shs + |com + |cpl + |crt + |eml + |exe + |hlp |hta - |bat - |scr + |in[fs] + |isp + |jse? |lnk + |md[be] + |ms[cipt] + |pcd |pif) + |reg + |scr + |sct + |shs + |url + |vb[se] + |ws[fhc]) +# end diff --git a/filter/sysfilter.tmpl b/filter/sysfilter.tmpl index 575dd00..bff7074 100644 --- a/filter/sysfilter.tmpl +++ b/filter/sysfilter.tmpl @@ -1,6 +1,6 @@ # Exim filter -## Version: 0.15 -# $Id: sysfilter.tmpl,v 1.2 2001/08/17 12:44:41 nigel Exp $ +## Version: 0.16 +# $Id: sysfilter.tmpl,v 1.3 2001/08/17 12:46:51 nigel Exp $ ## Exim system filter to refuse potentially harmful payloads in ## mail messages @@ -173,7 +173,9 @@ endif # Changed \w in filename detection to . - dodges locale problems # Explicit application of GPL after queries on license status # 0.15 17 August, 2001 -# Chnaged the . in filename detect to \S (stops it going mad) +# Changed the . in filename detect to \S (stops it going mad) +# 0.16 19 September, 2001 +# Pile of new extensions including the eml in current use # #### Install Notes # diff --git a/filter/system_filter.exim b/filter/system_filter.exim index 0c54507..356ea86 100644 --- a/filter/system_filter.exim +++ b/filter/system_filter.exim @@ -1,6 +1,6 @@ # Exim filter -## Version: 0.15 -# $Id: sysfilter.tmpl,v 1.3 2001/08/17 12:46:51 nigel Exp $ +## Version: 0.16 +# $Id: sysfilter.tmpl,v 1.4 2001/09/19 10:19:42 nigel Exp $ ## Exim system filter to refuse potentially harmful payloads in ## mail messages @@ -80,7 +80,7 @@ endif ## ----------------------------------------------------------------------- # Look for single part MIME messages with suspicious name extensions # Check Content-Type header using quoted filename [content_type_quoted_fn_match] -if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif)\")" +if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ @@ -91,7 +91,7 @@ then seen finish endif # same again using unquoted filename [content_type_unquoted_fn_match] -if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif))" +if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc]))" then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ @@ -108,7 +108,7 @@ endif # in emails. These were used as the basis for # the ILOVEYOU virus and its variants - many many varients # Quoted filename - [body_quoted_fn_match] -if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif)\")[\\\\s;]" +if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]" then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ @@ -119,7 +119,7 @@ then seen finish endif # same again using unquoted filename [body_unquoted_fn_match] -if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif))[\\\\s;]" +if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif)|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]" then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ @@ -173,7 +173,9 @@ endif # Changed \w in filename detection to . - dodges locale problems # Explicit application of GPL after queries on license status # 0.15 17 August, 2001 -# Chnaged the . in filename detect to \S (stops it going mad) +# Changed the . in filename detect to \S (stops it going mad) +# 0.16 19 September, 2001 +# Pile of new extensions including the eml in current use # #### Install Notes # @@ -227,18 +229,32 @@ endif # (?:file)?name= # filename=/name= # |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode # (\"[^\"]+\. # quoted filename. -# (?:vb[se] # list of extns -# |ws[fh] -# |jse? -# |exe -# |com +# (?:ad[ep] # list of extns +# |ba[st] +# |chm # |cmd -# |shs +# |com +# |cpl +# |crt +# |eml +# |exe +# |hlp # |hta -# |bat -# |scr +# |in[fs] +# |isp +# |jse? # |lnk +# |md[be] +# |ms[cipt] +# |pcd # |pif) +# |reg +# |scr +# |sct +# |shs +# |url +# |vb[se] +# |ws[fhc]) # \" # end quote # ) # end of filename capture # [\s;] # trailing ;/space/newline -- 2.30.2