New version of the filter is attached - also available at
ftp://ftp.exim.org/pub/filter/system_filter.exim.test
Please can people see if this fixes the false negatives from the
previous one which I think were most likely caused by single part
messages where the MIME info was in the header, not the body.
Nigel.
# Exim filter
## Version: 0.04
## If you haven't worked with exim filters before, read
## the install notes at the end of this file.
#
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have serveral delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
if error_message or not first_delivery
then
finish
endif
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat))"
then
fail text "This message has been rejected because it has\n\
\tan apparently executable attachment $1\n\
\tThis form of attachment has been used by\n\
\trecent viruses such as that described in\n\
\thttp://www.fsecure.com/v-descs/love.htm\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
endif
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants
#
if $message_body matches "(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disposition:\\\\s*attachment);\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
\tan apparently executable attachment $1\n\
\tThis form of attachment has been used by\n\
\trecent viruses such as that described in\n\
\thttp://www.fsecure.com/v-descs/love.htm\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
endif
## Version history
#
# 0.01 5 May 2000
# Initial release
# 0.02 8 May 2000
# Widened list of content-types accepted, added WSF extension
# 0.03 8 May 2000
# Embedded the install notes in for those that don't do manuals
# 0.04 9 May 2000
# Check global content-type header. Efficiency mods to REs
#
## Install Notes
#
# Exim filters run the exim filter language - a very primitive
# scripting language - in place of a user .forward file, or on
# a per system basis (on all messages passing through).
# The filtering capability is documented in the main set of manuals
# a copy of which can be found on the exim web site
# http://www.exim.org/
#
# To install, copy the filter file (with appropriate permissions)
# to /etc/exim/system_filter.exim and add to your exim config file
# [location is installation depedant - typicaly /etc/exim/config ]
# at the top the line:-
# message_filter = /etc/exim/system_filter.exim
# message_body_visible = 2000
#
# Any message that matches the filter will then be bounced.
# If you wish you can change the error message by editing it
# in the section above - however be careful you don't break it.
#
# After install exim should be restarted - a kill -HUP to the
# daemon will do this.
#
# The regexp that is used to pickup MIME/uuencoded parts is replicated
# below (in perl format). You need to remember that exim converts
# newlines to spaces in the message_body variable.
#
# (?:Content- # start of content header
# (?:Type: \s* # rest of c/t header
# [\w-]+/[\w-]+ # content-type (any)
# |Disposition: \s* # content-disposition hdr
# attachment) # content-disposition
# ;\s* # space or newline
# (?:file)?name= # filename=/name=
# |begin \s+ [0-7]{3,4} \s+) # begin octal-mode
# (\"[^\"]+\. # quoted filename.
# (?:vbs # list of extns
# |vbe
# |wsh
# |wsf
# |js
# |jse
# |exe
# |com
# |bat)
# \" # end quote
# |[\w.-]+\. # unquoted filename.ext
# (?:vbs # list of extns
# |vbe
# |wsh
# |wsf
# |js
# |jse
# |exe
# |com
# |bat)
# ) # end of filename capture
# [\s;] # trailing ;/space/newline
#
### [End]
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]