[Exim] My exim system_filter does not block EXE-Attachment

Top Page
Delete this message
Reply to this message
Author: Diebold, Klaus
Date:  
To: 'exim-users@exim.org'
Subject: [Exim] My exim system_filter does not block EXE-Attachment
Hi,

I have changed the Nigels system_filter (version 0.8) this way:


----------------------------------------------------------------------------
-----------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header [vb2_regexp]

# Endung "shs" , "js" , "chm" und "scr" hinzugefügt, db, 20.6.2000


if $header_content-type: matches
"(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|js|exe|pif|com|chm|shs|sc
r|pif|mpg|mp3|bat)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|js|exe|pif|com|chm
|shs|scr|pif|mpg|mp3|bat))"

then   
    ...
  seen finish
endif
----------------------------------------------------------------------------
-----------------


but it did not block this virus-infected mail with empty From-Header:


----------------------------------------------------------------------------
-----------------
Message-ID: <200102220928.KAA15560@???>
Subject: 
Date: Thu, 22 Feb 2001 10:28:49 +0100
MIME-Version: 1.0
Content-Type: application/octet-stream;
    name="MJECLHMJ.EXE"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
    filename="MJECLHMJ.EXE"


TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAA ...
----------------------------------------------------------------------------
-----------------


With embedded attachments the filter works fine, and has been a good help
against a lot of virus-attacks.

Thank you for any help.


Klaus Diebold
Informatik
Georg Thieme Verlag
Tel. 0711-8931-230