# Exim filter# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

1. # Exim filter
2. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
3. # cPanel System Filter for EXIM #
4. # VERSION = 2.0 #
5. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
6. # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #
7. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
8. # Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is #
9. # next rebuilt. To have modifications retained, please use one of the following options: #
10. # #
11. # 1) #
12. # * Place each sysfilter block you wish to include in a unique file at: #
13. # /usr/local/cpanel/etc/exim/sysfilter/options/ #
14. # * Enable or disable the custom block in WHM using: #
15. # Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file] #
16. # #
17. # 2) #
18. # * Create a custom sysfilter file in /etc/ #
19. # * Change the location of the sysfilter file in WHM using: #
20. # Service Configuration => Exim Configuration Manager => Filters => System Filter File #
21. # #
22. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
23. # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #
24. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
25. # #
26. # Only process once #
27. # #
28. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
29. if not first_delivery
30. then
31. finish
32. endif
33. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
34. # #
35. # Ignore "real" errors #
36. # #
37. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
38. if error_message and $header_from: contains "Mailer-Daemon@"
39. then
40. finish
41. endif
42. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
43.  
44. # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments
45. # (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
46. # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
47. ## -----------------------------------------------------------------------
48. # Look for single part MIME messages with suspicious name extensions
49. # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
50. if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
51. then
52. fail text "This message has been rejected because it has\n\
53. potentially executable content $1\n\
54. This form of attachment has been used by\n\
55. recent viruses or other malware.\n\
56. If you meant to send this file then please\n\
57. package it up as a zip file and resend it."
58. seen finish
59. endif
60. # same again using unquoted filename [content_type_unquoted_fn_match]
61. if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
62. then
63. fail text "This message has been rejected because it has\n\
64. potentially executable content $1\n\
65. This form of attachment has been used by\n\
66. recent viruses or other malware.\n\
67. If you meant to send this file then please\n\
68. package it up as a zip file and resend it."
69. seen finish
70. endif
71.  
72.  
73. ## -----------------------------------------------------------------------
74. # Attempt to catch embedded VBS attachments
75. # in emails. These were used as the basis for
76. # the ILOVEYOU virus and its variants - many many varients
77. # Quoted filename - [body_quoted_fn_match]
78. if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
79. then
80. fail text "This message has been rejected because it has\n\
81. a potentially executable attachment $1\n\
82. This form of attachment has been used by\n\
83. recent viruses or other malware.\n\
84. If you meant to send this file then please\n\
85. package it up as a zip file and resend it."
86. seen finish
87. endif
88. # same again using unquoted filename [body_unquoted_fn_match]
89. if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
90. then
91. fail text "This message has been rejected because it has\n\
92. a potentially executable attachment $1\n\
93. This form of attachment has been used by\n\
94. recent viruses or other malware.\n\
95. If you meant to send this file then please\n\
96. package it up as a zip file and resend it."
97. seen finish
98. endif
99. ## -----------------------------------------------------------------------
100.  
101.  
102.  
103. #### Version history
104. #
105. # 0.01 5 May 2000
106. # Initial release
107. # 0.02 8 May 2000
108. # Widened list of content-types accepted, added WSF extension
109. # 0.03 8 May 2000
110. # Embedded the install notes in for those that don't do manuals
111. # 0.04 9 May 2000
112. # Check global content-type header. Efficiency mods to REs
113. # 0.05 9 May 2000
114. # More minor efficiency mods, doc changes
115. # 0.06 20 June 2000
116. # Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
117. # 0.07 19 July 2000
118. # Latest MS Outhouse bug catching
119. # 0.08 19 July 2000
120. # Changed trigger length to 80 chars, fixed some spelling
121. # 0.09 29 September 2000
122. # More extensions... its getting so we should just allow 2 or 3 through
123. # 0.10 18 January 2001
124. # Removed exclusion for error messages - this is a little nasty
125. # since it has other side effects, hence we do still exclude
126. # on unix like error messages
127. # 0.11 20 March, 2001
128. # Added CMD extension, tidied docs slightly, added RCS tag
129. # ** Missed changing version number at top of file :-(
130. # 0.12 10 May, 2001
131. # Added HTA extension
132. # 0.13 22 May, 2001
133. # Reformatted regexps and code to build them so that they are
134. # shorter than the limits on pre exim 3.20 filters. This will
135. # make them significantly less efficient, but I am getting so
136. # many queries about this that requiring 3.2x appears unsupportable.
137. # 0.14 15 August,2001
138. # Added .lnk extension - most requested item :-)
139. # Reformatted everything so its now built from a set of short
140. # library files, cutting down on manual duplication.
141. # Changed \w in filename detection to . - dodges locale problems
142. # Explicit application of GPL after queries on license status
143. # 0.15 17 August, 2001
144. # Changed the . in filename detect to \S (stops it going mad)
145. # 0.16 19 September, 2001
146. # Pile of new extensions including the eml in current use
147. # 0.17 19 September, 2001
148. # Syntax fix
149. #
150. #### Install Notes
151. #
152. # Exim filters run the exim filter language - a very primitive
153. # scripting language - in place of a user .forward file, or on
154. # a per system basis (on all messages passing through).
155. # The filtering capability is documented in the main set of manuals
156. # a copy of which can be found on the exim web site
157. # http://www.exim.org/
158. #
159. # To install, copy the filter file (with appropriate permissions)
160. # to /etc/exim/system_filter.exim and add to your exim config file
161. # [location is installation depedant - typicaly /etc/exim/config ]
162. # in the first section the line:-
163. # message_filter = /etc/exim/system_filter.exim
164. # message_body_visible = 5000
165. #
166. # You may also want to set the message_filter_user & message_filter_group
167. # options, but they default to the standard exim user and so can
168. # be left untouched. The other message_filter_* options are only
169. # needed if you modify this to do other functions such as deliveries.
170. # The main exim documentation is quite thorough and so I see no need
171. # to expand it here...
172. #
173. # Any message that matches the filter will then be bounced.
174. # If you wish you can change the error message by editing it
175. # in the section above - however be careful you don't break it.
176. #
177. # After install exim should be restarted - a kill -HUP to the
178. # daemon will do this.
179. #
180. #### LIMITATIONS
181. #
182. # This filter tries to parse MIME with a regexp... that doesn't
183. # work too well. It will also only see the amount of the body
184. # specified in message_body_visible
185. #
186. #### BASIS
187. #
188. # The regexp that is used to pickup MIME/uuencoded body parts with
189. # quoted filenames is replicated below (in perl format).
190. # You need to remember that exim converts newlines to spaces in
191. # the message_body variable.
192. #
193. # (?:Content- # start of content header
194. # (?:Type: (?>\s*) # rest of c/t header
195. # [\w-]+/[\w-]+ # content-type (any)
196. # |Disposition: (?>\s*) # content-disposition hdr
197. # attachment) # content-disposition
198. # ;(?>\s*) # ; space or newline
199. # (?:file)?name= # filename=/name=
200. # |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode
201. # (\"[^\"]+\. # quoted filename.
202. # (?:ad[ep] # list of extns
203. # |ba[st]
204. # |chm
205. # |cmd
206. # |com
207. # |cpl
208. # |crt
209. # |eml
210. # |exe
211. # |hlp
212. # |hta
213. # |in[fs]
214. # |isp
215. # |jse?
216. # |lnk
217. # |md[be]
218. # |ms[cipt]
219. # |pcd
220. # |pif
221. # |reg
222. # |scr
223. # |sct
224. # |shs
225. # |url
226. # |vb[se]
227. # |ws[fhc])
228. # \" # end quote
229. # ) # end of filename capture
230. # [\s;] # trailing ;/space/newline
231.  
232. #
233. #
234. ### [End]
235. # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments
236.  
237. # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite
238. # (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
239. # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
240. if "${if def:header_X-Spam-Subject: {there}}" is there
241. then
242. headers remove Subject
243. headers add "Subject: $rh_X-Spam-Subject:"
244. headers remove X-Spam-Subject
245. endif
246. # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite
247. # Adding the settings for enviromatters forwarding harjeet
248. if first_delivery
249. and ("$h_from:" contains "harjeet@enviromatters.co.nz")
250. and not ("$h_X-Spam-Checker-Version:" begins "SpamAssassin")
251. then
252. unseen deliver "directors@enviromatters.co.nz"
253. endif
254.  
255. # Barry
256. if first_delivery
257. and ("$h_from:" contains "bf@enviromatters.co.nz")
258. and not ("$h_X-Spam-Checker-Version:" begins "SpamAssassin")
259. then
260. unseen deliver "directors@enviromatters.co.nz"
261. endif
262.  
263. #Chetan
264. if first_delivery
265. and ("$h_from:" contains "ct@enviromatters.co.nz")
266. and not ("$h_X-Spam-Checker-Version:" begins "SpamAssassin")
267. then
268. unseen deliver "directors@enviromatters.co.nz"
269. endif
270.  
271. #Russell
272. if first_delivery
273. and ("$h_from:" contains "russell@enviromatters.co.nz")
274. and not ("$h_X-Spam-Checker-Version:" begins "SpamAssassin")
275. then
276. unseen deliver "directors@enviromatters.co.nz"
277. endif
278.  
279.  
280. #TestAccount
281. if first_delivery
282. and ("$h_from:" contains "harman@enviromatters.co.nz")
283. and not ("$h_X-Spam-Checker-Version:" begins "SpamAssassin")
284. then
285. unseen deliver "directors@enviromatters.co.nz"
286. endif