devilsoulblack

1. # Exim filter
2. ## Version: 0.17
3. #   $Id: system_filter.exim,v 1.11 2001/09/19 11:27:56 nigel Exp $
4.  
5. ## Exim system filter to refuse potentially harmful payloads in
6. ## mail messages
7. ## (c) 2000-2001 Nigel Metheringham <nigel@exim.org>
8. ##
9. ##     This program is free software; you can redistribute it and/or modify
10. ##    it under the terms of the GNU General Public License as published by
11. ##    the Free Software Foundation; either version 2 of the License, or
12. ##    (at your option) any later version.
13. ##
14. ##    This program is distributed in the hope that it will be useful,
15. ##    but WITHOUT ANY WARRANTY; without even the implied warranty of
16. ##    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17. ##    GNU General Public License for more details.
18. ##
19. ##    You should have received a copy of the GNU General Public License
20. ##    along with this program; if not, write to the Free Software
21. ##    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22. ## -A copy of the GNU General Public License is distributed with exim itself
23.  
24. ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
25. ## If you haven't worked with exim filters before, read
26. ## the install notes at the end of this file.
27. ## The install notes are not a replacement for the exim documentation
28. ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
29.  
30. ## -----------------------------------------------------------------------
31. # Only run any of this stuff on the first pass through the
32. # filter - this is an optomisation for messages that get
33. # queued and have several delivery attempts
34. #
35. # we express this in reverse so we can just bail out
36. # on inappropriate messages
37. #
38. if not first_delivery
39. then
40.   finish
41. endif
42. ## -----------------------------------------------------------------------
43. # Check for MS buffer overruns as per BUGTRAQ.
44. # http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
45. # This could happen in error messages, hence its placing
46. # here...
47. # We substract the first n characters of the date header
48. # and test if its the same as the date header... which
49. # is a lousy way of checking if the date is longer than
50. # n chars long
51. if ${length_80:$header_date:} is not $header_date:
52. then
53.   fail text "This message has been rejected because it has\n\
54.          an overlength date field which can be used\n\
55.          to subvert Microsoft mail programs\n\
56.             The following URL has further information\n\
57.          http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
58.   seen finish
59. endif
60.  
61. ## -----------------------------------------------------------------------
62. # These messages are now being sent with a <> envelope sender, but
63. # blocking all error messages that pattern match prevents
64. # bounces getting back.... so we fudge it somewhat and check for known
65. # header signatures.  Other bounces are allowed through.
66. if $header_from: contains "@sexyfun.net"
67. then
68.   fail text "This message has been rejected since it has\n\
69.          the signature of a known virus in the header."
70.   seen finish
71. endif
72. if error_message and $header_from: contains "Mailer-Daemon@"
73. then
74.   # looks like a real error message - just ignore it
75.   finish
76. endif
77.  
78. ## -----------------------------------------------------------------------
79. # Look for single part MIME messages with suspicious name extensions
80. # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
81. if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
82. then
83.   fail text "This message has been rejected because it has\n\
84.          potentially executable content $1\n\
85.          This form of attachment has been used by\n\
86.             recent viruses or other malware.\n\
87.          If you meant to send this file then please\n\
88.          package it up as a zip file and resend it."
89.   seen finish
90. endif
91. # same again using unquoted filename [content_type_unquoted_fn_match]
92. if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
93. then
94.   fail text "This message has been rejected because it has\n\
95.          potentially executable content $1\n\
96.          This form of attachment has been used by\n\
97.             recent viruses or other malware.\n\
98.          If you meant to send this file then please\n\
99.          package it up as a zip file and resend it."
100.   seen finish
101. endif
102.  
103.  
104. ## -----------------------------------------------------------------------
105. # Attempt to catch embedded VBS attachments
106. # in emails.   These were used as the basis for
107. # the ILOVEYOU virus and its variants - many many varients
108. # Quoted filename - [body_quoted_fn_match]
109. if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
110. then
111.   fail text "This message has been rejected because it has\n\
112.          a potentially executable attachment $1\n\
113.          This form of attachment has been used by\n\
114.             recent viruses or other malware.\n\
115.          If you meant to send this file then please\n\
116.          package it up as a zip file and resend it."
117.   seen finish
118. endif
119. # same again using unquoted filename [body_unquoted_fn_match]
120. if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
121. then
122.   fail text "This message has been rejected because it has\n\
123.          a potentially executable attachment $1\n\
124.          This form of attachment has been used by\n\
125.             recent viruses or other malware.\n\
126.          If you meant to send this file then please\n\
127.          package it up as a zip file and resend it."
128.   seen finish
129. endif
130. ## -----------------------------------------------------------------------
131.  
132.  
133. #### Version history
134. #
135. # 0.01 5 May 2000
136. #   Initial release
137. # 0.02 8 May 2000
138. #   Widened list of content-types accepted, added WSF extension
139. # 0.03 8 May 2000
140. #   Embedded the install notes in for those that don't do manuals
141. # 0.04 9 May 2000
142. #   Check global content-type header.  Efficiency mods to REs
143. # 0.05 9 May 2000
144. #   More minor efficiency mods, doc changes
145. # 0.06 20 June 2000
146. #   Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
147. # 0.07 19 July 2000
148. #   Latest MS Outhouse bug catching
149. # 0.08 19 July 2000
150. #   Changed trigger length to 80 chars, fixed some spelling
151. # 0.09 29 September 2000
152. #   More extensions... its getting so we should just allow 2 or 3 through
153. # 0.10 18 January 2001
154. #   Removed exclusion for error messages - this is a little nasty
155. #   since it has other side effects, hence we do still exclude
156. #   on unix like error messages
157. # 0.11 20 March, 2001
158. #   Added CMD extension, tidied docs slightly, added RCS tag
159. #   ** Missed changing version number at top of file :-(
160. # 0.12 10 May, 2001
161. #   Added HTA extension
162. # 0.13 22 May, 2001
163. #   Reformatted regexps and code to build them so that they are
164. #   shorter than the limits on pre exim 3.20 filters.  This will
165. #   make them significantly less efficient, but I am getting so
166. #   many queries about this that requiring 3.2x appears unsupportable.
167. # 0.14 15 August,2001
168. #   Added .lnk extension - most requested item :-)
169. #   Reformatted everything so its now built from a set of short
170. #   library files, cutting down on manual duplication.
171. #   Changed \w in filename detection to . - dodges locale problems
172. #   Explicit application of GPL after queries on license status
173. # 0.15 17 August, 2001
174. #   Changed the . in filename detect to \S (stops it going mad)
175. # 0.16 19 September, 2001
176. #   Pile of new extensions including the eml in current use
177. # 0.17 19 September, 2001
178. #   Syntax fix
179. #
180. #### Install Notes
181. #
182. # Exim filters run the exim filter language - a very primitive
183. # scripting language - in place of a user .forward file, or on
184. # a per system basis (on all messages passing through).
185. # The filtering capability is documented in the main set of manuals
186. # a copy of which can be found on the exim web site
187. #   http://www.exim.org/
188. #
189. # To install, copy the filter file (with appropriate permissions)
190. # to /etc/exim/system_filter.exim and add to your exim config file
191. # [location is installation depedant - typicaly /etc/exim/config ]
192. # in the first section the line:-
193. #   message_filter = /etc/exim/system_filter.exim
194. #   message_body_visible = 5000
195. #
196. # You may also want to set the message_filter_user & message_filter_group
197. # options, but they default to the standard exim user and so can
198. # be left untouched.  The other message_filter_* options are only
199. # needed if you modify this to do other functions such as deliveries.
200. # The main exim documentation is quite thorough and so I see no need
201. # to expand it here...
202. #
203. # Any message that matches the filter will then be bounced.
204. # If you wish you can change the error message by editing it
205. # in the section above - however be careful you don't break it.
206. #
207. # After install exim should be restarted - a kill -HUP to the
208. # daemon will do this.
209. #
210. #### LIMITATIONS
211. #
212. # This filter tries to parse MIME with a regexp... that doesn't
213. # work too well.  It will also only see the amount of the body
214. # specified in message_body_visible
215. #
216. #### BASIS
217. #
218. # The regexp that is used to pickup MIME/uuencoded body parts with
219. # quoted filenames is replicated below (in perl format).  
220. # You need to remember that exim converts newlines to spaces in
221. # the message_body variable.
222. #
223. #     (?:Content-                   # start of content header
224. #     (?:Type: (?>\s*)              # rest of c/t header
225. #       [\w-]+/[\w-]+               # content-type (any)
226. #       |Disposition: (?>\s*)           # content-disposition hdr
227. #       attachment)                 # content-disposition
228. #     ;(?>\s*)                  # ; space or newline
229. #     (?:file)?name=                # filename=/name=
230. #     |begin (?>\s+) [0-7]{3,4} (?>\s+))        # begin octal-mode
231. #     (\"[^\"]+\.                   # quoted filename.
232. #       (?:ad[ep]               # list of extns
233. #       |ba[st]
234. #       |chm
235. #       |cmd
236. #       |com
237. #       |cpl
238. #       |crt
239. #       |eml
240. #       |exe
241. #       |hlp
242. #       |hta
243. #       |in[fs]
244. #       |isp
245. #       |jse?
246. #       |lnk
247. #       |md[be]
248. #       |ms[cipt]
249. #       |pcd
250. #       |pif
251. #       |reg
252. #       |scr
253. #       |sct
254. #       |shs
255. #       |url
256. #       |vb[se]
257. #       |ws[fhc])
258. #     \"                        # end quote
259. #     )                     # end of filename capture
260. #     [\s;]                     # trailing ;/space/newline
261.  
262. #
263. #
264. ### [End]
265.