From 84d813c6155771aa25b43fedf5ca0f96e115a778 Mon Sep 17 00:00:00 2001 From: nigel Date: Fri, 18 May 2001 10:28:13 +0000 Subject: [PATCH] filter updates --- filter/body_quoted_fn_match | 10 +++++ filter/body_unquoted_fn_match | 9 ++++ filter/content_type_header | 3 ++ filter/content_type_quoted_fn_match | 9 ++++ filter/content_type_unquoted_fn_match | 8 ++++ filter/extension_regexp | 14 ++++++ filter/header_regexp | 10 +++++ filter/process_re2filtermatch.pl | 62 +++++++++++++++++++-------- filter/system_filter.exim | 35 ++++++++++++--- filter/vb_regexp | 1 + 10 files changed, 138 insertions(+), 23 deletions(-) create mode 100644 filter/body_quoted_fn_match create mode 100644 filter/body_unquoted_fn_match create mode 100644 filter/content_type_header create mode 100644 filter/content_type_quoted_fn_match create mode 100644 filter/content_type_unquoted_fn_match create mode 100644 filter/extension_regexp create mode 100644 filter/header_regexp diff --git a/filter/body_quoted_fn_match b/filter/body_quoted_fn_match new file mode 100644 index 0000000..dbef067 --- /dev/null +++ b/filter/body_quoted_fn_match @@ -0,0 +1,10 @@ +# $Id$ +# +# Match a body attachment with quoted filename +# +#include header_regexp + (\"[^\"]+\. # quoted filename. +#include extension_regexp + \" # end quote + ) # end of filename capture + [\s;] # trailing ;/space/newline diff --git a/filter/body_unquoted_fn_match b/filter/body_unquoted_fn_match new file mode 100644 index 0000000..3e557a1 --- /dev/null +++ b/filter/body_unquoted_fn_match @@ -0,0 +1,9 @@ +# $Id$ +# +# Match a body attachment with unquoted filename +# +#include header_regexp + ([\w.-]+\. # unquoted filename.ext +#include extension_regexp + ) # end of filename capture + [\s;] # trailing ;/space/newline diff --git a/filter/content_type_header b/filter/content_type_header new file mode 100644 index 0000000..88a3d75 --- /dev/null +++ b/filter/content_type_header @@ -0,0 +1,3 @@ +# $Id$ +# Matches the header part + (?:file)?name= # filename=/name= diff --git a/filter/content_type_quoted_fn_match b/filter/content_type_quoted_fn_match new file mode 100644 index 0000000..f68fa55 --- /dev/null +++ b/filter/content_type_quoted_fn_match @@ -0,0 +1,9 @@ +# $Id$ +# +# Match the content-type header with quoted filename +# +#include content_type_header + (\"[^\"]+\. # quoted filename. +#include extension_regexp + \" # end quote + ) # end of filename capture diff --git a/filter/content_type_unquoted_fn_match b/filter/content_type_unquoted_fn_match new file mode 100644 index 0000000..f77fdcc --- /dev/null +++ b/filter/content_type_unquoted_fn_match @@ -0,0 +1,8 @@ +# $Id$ +# +# Match the content-type header with quoted filename +# +#include content_type_header + ([\w.-]+\. # unquoted filename.ext +#include extension_regexp + ) # end of filename capture diff --git a/filter/extension_regexp b/filter/extension_regexp new file mode 100644 index 0000000..f8e2f38 --- /dev/null +++ b/filter/extension_regexp @@ -0,0 +1,14 @@ +# $Id$ +# matches the list of extensions +# uses non-capturing brackets + (?:vb[se] # list of extns + |ws[fh] + |jse? + |exe + |com + |cmd + |shs + |hta + |bat + |scr + |pif) diff --git a/filter/header_regexp b/filter/header_regexp new file mode 100644 index 0000000..cf5161e --- /dev/null +++ b/filter/header_regexp @@ -0,0 +1,10 @@ +# $Id$ +# Matches the header part + (?:Content- # start of content header + (?:Type: (?>\s*) # rest of c/t header + [\w-]+/[\w-]+ # content-type (any) + |Disposition: (?>\s*) # content-disposition hdr + attachment) # content-disposition + ;(?>\s*) # ; space or newline + (?:file)?name= # filename=/name= + |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode diff --git a/filter/process_re2filtermatch.pl b/filter/process_re2filtermatch.pl index c826702..851a40f 100644 --- a/filter/process_re2filtermatch.pl +++ b/filter/process_re2filtermatch.pl @@ -1,22 +1,50 @@ #!/usr/bin/perl # use strict; +use FileHandle; -my $re; -while(<>) { - chomp(); - # dispose of comments with their leading spaces - s/\s+\#.*$//; - # recode \" -> " - s/\\\"/\"/g; - # double all \ (twice) - s/\\/\\\\/g; - s/\\/\\\\/g; - # escape " again - s/\"/\\\"/g; - # remove all space - s/\s+//g; - # add to re - $re .= $_; + + +sub process_file { + my $fn = shift; + + my $re; + print STDERR "Opening $fn\n"; + my $fh = FileHandle->new($fn, 'r') || die $!; + while (<$fh>) { + chomp(); + # process includes + if (/^\#include\s/) { + my($junk, $nfn) = split; + $re .= process_file($nfn); + next; + } + # ignore comments starting at the begining of the line + next if (/^\#/); + # dispose of comments with their leading spaces + s/\s+\#.*$//; + # recode \" -> " + s/\\\"/\"/g; + # double all \ (twice) + s/\\/\\\\/g; + s/\\/\\\\/g; + # escape " again + s/\"/\\\"/g; + # remove all space + s/\s+//g; + # add to re + $re .= $_; + } + return $re; +} + + + +# main +{ + my $re; + while($_ = shift) { + $re .= process_file($_); + } + print "\"$re\"\n"; } -print "\"$re\"\n"; diff --git a/filter/system_filter.exim b/filter/system_filter.exim index 585316f..f8e5fd4 100644 --- a/filter/system_filter.exim +++ b/filter/system_filter.exim @@ -1,6 +1,6 @@ # Exim filter ## Version: 0.12 -# $Id: system_filter.exim,v 1.4 2001/03/20 21:24:40 nigel Exp $ +# $Id: system_filter.exim,v 1.2 2001/05/10 11:35:45 nigel Exp $ ## If you haven't worked with exim filters before, read ## the install notes at the end of this file. @@ -53,11 +53,22 @@ then endif # Look for single part MIME messages with suspicious name extensions -# Check Content-Type header [vb2_regexp] -if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))" +# Check Content-Type header using quoted filename [content_type_quoted_fn_match] +if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")" then fail text "This message has been rejected because it has\n\ - \ta potentially executable attachment $1\n\ + \tpotentially executable content $1\n\ + \tThis form of attachment has been used by\n\ + \trecent viruses or other malware.\n\ + \tIf you meant to send this file then please\n\ + \tpackage it up as a zip file and resend it." + seen finish +endif +# same again using unquoted filename [content_type_unquoted_fn_match] +if $header_content-type: matches "(?:file)?name=([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))" +then + fail text "This message has been rejected because it has\n\ + \tpotentially executable content $1\n\ \tThis form of attachment has been used by\n\ \trecent viruses or other malware.\n\ \tIf you meant to send this file then please\n\ @@ -65,11 +76,23 @@ then seen finish endif + # Attempt to catch embedded VBS attachments # in emails. These were used as the basis for # the ILOVEYOU virus and its variants -# [vb_regexp] -if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]" +# Quoted filename - [body_quoted_fn_match] +if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")[\\\\s;]" +then + fail text "This message has been rejected because it has\n\ + \ta potentially executable attachment $1\n\ + \tThis form of attachment has been used by\n\ + \trecent viruses or other malware.\n\ + \tIf you meant to send this file then please\n\ + \tpackage it up as a zip file and resend it." + seen finish +endif +# same again using unquoted filename [body_unquoted_fn_match] +if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]" then fail text "This message has been rejected because it has\n\ \ta potentially executable attachment $1\n\ diff --git a/filter/vb_regexp b/filter/vb_regexp index d7d3609..d0630b2 100644 --- a/filter/vb_regexp +++ b/filter/vb_regexp @@ -12,6 +12,7 @@ |jse? |exe |com + |cmd |shs |hta |bat -- 2.30.2