I reverted to the original form for various reasons, some of which
probably would not hold up past a rewritten version message_body that
is more efficient :-)
The filter is attached.
Its also at:-
ftp://ftp.exim.org/pub/filter/system_filter.exim
so you can avoid the mangling that mailers are bound to apply :-)
Seems to work on current tests, no guarantees. It does catch the forms
I saw yesterday.
It did show up some interesting things about exim's parsing - looks
like () have to be within quotes or the parser falls over.
Nigel.
# Exim filter
#
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have serveral delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
if error_message or not first_delivery
then
finish
endif
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants
#
if $message_body matches "(?:Content-(?:Type:\\\\s*application/octet-stream|Disposition:\\\\s*attachment);\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vbs|vbe|wsh|js|jse|exe|com|bat)\"|[\\\\w.-]+\\\\.(?:vbs|vbe|wsh|js|jse|exe|com|bat))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
\tan apparently executable attachment $1\n\
\tThis form of attachment has been used by\n\
\trecent viruses such as that described in\n\
\thttp://www.fsecure.com/v-descs/love.htm\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
endif
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
