/etc/system_filter.exim

1. # Exim filter
2. #VERSION=1.3
3. ## Version: 0.17e
4. # $Id: system_filter.exim,v 1.11 2001/09/19 11:27:56 nigel Exp $
5.  
6. ## Exim system filter to refuse potentially harmful payloads in
7. ## mail messages
8. ## (c) 2000-2001 Nigel Metheringham <[email protected]>
9. ##
10. ## This program is free software; you can redistribute it and/or modify
11. ## it under the terms of the GNU General Public License as published by
12. ## the Free Software Foundation; either version 2 of the License, or
13. ## (at your option) any later version.
14. ##
15. ## This program is distributed in the hope that it will be useful,
16. ## but WITHOUT ANY WARRANTY; without even the implied warranty of
17. ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18. ## GNU General Public License for more details.
19. ##
20. ## You should have received a copy of the GNU General Public License
21. ## along with this program; if not, write to the Free Software
22. ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23. ## -A copy of the GNU General Public License is distributed with exim itself
24.  
25. ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
26. ## If you haven't worked with exim filters before, read
27. ## the install notes at the end of this file.
28. ## The install notes are not a replacement for the exim documentation
29. ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
30.  
31.  
32. ## -----------------------------------------------------------------------
33. # Only run any of this stuff on the first pass through the
34. # filter - this is an optomisation for messages that get
35. # queued and have several delivery attempts
36. #
37. # we express this in reverse so we can just bail out
38. # on inappropriate messages
39. #
40. if not first_delivery
41. then
42. finish
43. endif
44.  
45. ## -----------------------------------------------------------------------
46. # Check for MS buffer overruns as per BUGTRAQ.
47. # http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
48. # This could happen in error messages, hence its placing
49. # here...
50. # We substract the first n characters of the date header
51. # and test if its the same as the date header... which
52. # is a lousy way of checking if the date is longer than
53. # n chars long
54. if ${length_80:$header_date:} is not $header_date:
55. then
56. seen finish
57. endif
58.  
59. ## -----------------------------------------------------------------------
60. # These messages are now being sent with a <> envelope sender, but
61. # blocking all error messages that pattern match prevents
62. # bounces getting back.... so we fudge it somewhat and check for known
63. # header signatures. Other bounces are allowed through.
64. if $header_from: contains "@sexyfun.net"
65. then
66. seen finish
67. endif
68. if error_message and $header_from: contains "Mailer-Daemon@"
69. then
70. # looks like a real error message - just ignore it
71. finish
72. endif
73.  
74. ## -----------------------------------------------------------------------
75. # Look for single part MIME messages with suspicious name extensions
76. # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
77. if $header_content-type: matches "(?:file)?name=\"([^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc]))\""
78. then
79. seen finish
80. endif
81. # same again using unquoted filename [content_type_unquoted_fn_match]
82. if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc])\")([\\\\s;]|\\$)"
83. then
84. seen finish
85. endif
86.  
87.  
88. ## -----------------------------------------------------------------------
89. # Attempt to catch embedded VBS attachments
90. # in emails. These were used as the basis for
91. # the ILOVEYOU virus and its variants - many many varients
92. # Quoted filename - [body_quoted_fn_match]
93. if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))\"([^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc])\")[\\\\s;]"
94. then
95. seen finish
96. endif
97. # same again using unquoted filename [body_unquoted_fn_match]
98. if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc])\")[\\\\s;]"
99. then
100. seen finish
101. endif
102. ## -----------------------------------------------------------------------
103.  
104. # Fudge to catch Klez virus (mal formed mime details, unquoted filename with spaces)
105. #if $message_body matches "Content-Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+;\\\\s*(?:name)=([^\" ]+ [^\"]*\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc])\")[\\\\s;]"
106. #then
107. # seen finish
108. #endif
109.  
110.  
111. ## -----------------------------------------------------------------------
112.  
113.  
114. #### Version history
115. #
116. # 0.01 5 May 2000
117. # Initial release
118. # 0.02 8 May 2000
119. # Widened list of content-types accepted, added WSF extension
120. # 0.03 8 May 2000
121. # Embedded the install notes in for those that don't do manuals
122. # 0.04 9 May 2000
123. # Check global content-type header. Efficiency mods to REs
124. # 0.05 9 May 2000
125. # More minor efficiency mods, doc changes
126. # 0.06 20 June 2000
127. # Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
128. # 0.07 19 July 2000
129. # Latest MS Outhouse bug catching
130. # 0.08 19 July 2000
131. # Changed trigger length to 80 chars, fixed some spelling
132. # 0.09 29 September 2000
133. # More extensions... its getting so we should just allow 2 or 3 through
134. # 0.10 18 January 2001
135. # Removed exclusion for error messages - this is a little nasty
136. # since it has other side effects, hence we do still exclude
137. # on unix like error messages
138. # 0.11 20 March, 2001
139. # Added CMD extension, tidied docs slightly, added RCS tag
140. # ** Missed changing version number at top of file :-(
141. # 0.12 10 May, 2001
142. # Added HTA extension
143. # 0.13 22 May, 2001
144. # Reformatted regexps and code to build them so that they are
145. # shorter than the limits on pre exim 3.20 filters. This will
146. # make them significantly less efficient, but I am getting so
147. # many queries about this that requiring 3.2x appears unsupportable.
148. # 0.14 15 August,2001
149. # Added .lnk extension - most requested item :-)
150. # Reformatted everything so its now built from a set of short
151. # library files, cutting down on manual duplication.
152. # Changed \w in filename detection to . - dodges locale problems
153. # Explicit application of GPL after queries on license status
154. # 0.15 17 August, 2001
155. # Changed the . in filename detect to \S (stops it going mad)
156. # 0.16 19 September, 2001
157. # Pile of new extensions including the eml in current use
158. # 0.17 19 September, 2001
159. # Syntax fix
160. # 0.17a Thu 21-Feb-2002; Douglas Gray Stephens
161. # Modify for SLB (adding null return path test)
162. # 0.17b Wed 01-May-2002; Douglas Gray Stephens
163. # Block mal formed mime messages that have a space in the name
164. # 0.17c Wed 15-May-2002; Douglas Gray Stephens
165. # Block mal formed mime messages that have a space and period
166. # in the name.
167. # Also block .vb extensions
168. # 0.17d Thu 16-May-2002; Douglas Gray Stephens
169. # Update the notes as Exim 4 uses system_filter_* rather
170. # than message_filter_*
171. # (after feedback from David Broome <[email protected]>)
172. # 0.17e Fri 19-Jul-2002; Douglas Gray Stephens
173. # Block SCM (ScreenCam Movie) files
174. # 1.2 13-Apr-2018 Removed the Klez check as it was breaking:
175. # Content-Type: multipart/report;\n...
176. # from RoundCube emails.
177.  
178.  
179. #
180. #### Install Notes
181. #
182. # Exim filters run the exim filter language - a very primitive
183. # scripting language - in place of a user .forward file, or on
184. # a per system basis (on all messages passing through).
185. # The filtering capability is documented in the main set of manuals
186. # a copy of which can be found on the exim web site
187. # http://www.exim.org/
188. #
189. # To install, copy the filter file (with appropriate permissions)
190. # to /etc/exim/system_filter.exim and add to your exim config file
191. # [location is installation depedant - typicaly /etc/exim/config ]
192. # in the first section the line:-
193. # Exim 3
194. # message_filter = /etc/exim/system_filter.exim
195. # message_body_visible = 5000
196. # Exim 4
197. # system_filter = /etc/exim/system_filter.exim
198. # message_body_visible = 5000
199. #
200. # You may also want to set the message_filter_user & message_filter_group
201. # (in Exim 4 these are system_filter_user & system_filter_group)
202. # options, but they default to the standard exim user and so can
203. # be left untouched. The other message_filter_* (or system_filter_*
204. # for Exim 4) options are only needed if you modify this to do other
205. # functions such as deliveries.
206. # The main exim documentation is quite thorough and so I see no need
207. # to expand it here...
208. #
209. # Any message that matches the filter will then be bounced.
210. # If you wish you can change the error message by editing it
211. # in the section above - however be careful you don't break it.
212. #
213. # After install exim should be restarted - a kill -HUP to the
214. # daemon will do this.
215. #
216. #### LIMITATIONS
217. #
218. # This filter tries to parse MIME with a regexp... that doesn't
219. # work too well. It will also only see the amount of the body
220. # specified in message_body_visible
221. #
222. #### BASIS
223. #
224. # The regexp that is used to pickup MIME/uuencoded body parts with
225. # quoted filenames is replicated below (in perl format).
226. # You need to remember that exim converts newlines to spaces in
227. # the message_body variable.
228. #
229. # (?:Content- # start of content header
230. # (?:Type: (?>\s*) # rest of c/t header
231. # [\w-]+/[\w-]+ # content-type (any)
232. # |Disposition: (?>\s*) # content-disposition hdr
233. # attachment) # content-disposition
234. # ;(?>\s*) # ; space or newline
235. # (?:file)?name= # filename=/name=
236. # |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode
237. # (\"[^\"]+\. # quoted filename.
238. # (?:ad[ep] # list of extns
239. # |ba[st]
240. # |chm
241. # |cmd
242. # |com
243. # |cpl
244. # |crt
245. # |eml
246. # |exe
247. # |hlp
248. # |hta
249. # |in[fs]
250. # |isp
251. # |jse?
252. # |lnk
253. # |md[be]
254. # |ms[cipt]
255. # |pcd
256. # |pif
257. # |reg
258. # |scm
259. # |scr
260. # |sct
261. # |shs
262. # |url
263. # |vb[se]?
264. # |ws[fhc])
265. # \" # end quote
266. # ) # end of filename capture
267. # [\s;] # trailing ;/space/newline
268.  
269. #
270. #
271. ### [End]
272.  
273.  
274.