[Exim] system filter and null return path messages

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Dr. Douglas Gray Stephens
Date:  
À: Exim-users
Sujet: [Exim] system filter and null return path messages

Hi,

I have exim 3.13 running the system filter 0.10.  However the
postmaster is being hit by virus reports that match the system filter:
 if $header_from: contains "@sexyfun.net" then
   fail text "This message has been rejected since it has\n\
                 \tthe signature of a known virus in the header."
   seen finish
 endif


The message has headers
 Return-path: <> Received: from mtiwmhc24.worldnet.att.net
 ([204.127.131.49])
         by mahler.houston.sinet.slb.com with esmtp (Exim 3.13 #1) id
         14hiTg-00042W-00 for 3Dxweng@???; Mon, 26 Mar 2001
         19:40:56 -0600
 Received: from house ([12.73.163.53]) by mtiwmhc24.worldnet.att.net
           (InterMail vM.4.01.03.16 201-229-121-116-20010115) with
           SMTP id
           <20010326201923.VEX29681.mtiwmhc24.worldnet.att.net@house>
           for <3Dxweng@???>; Mon, 26 Mar 2001 20:19:23 +0000
 From: Hahaha <hahaha@???> Subject: Snowhite and the Seven
 Dwarfs - The REAL story!  MIME-Version: 1.0 Content-Type:
 multipart/mixed; boundary="--VEYN0DAJOTMJK1ERWTUZKTURC5UJ"
 Message-Id:
 <20010326201923.VEX29681.mtiwmhc24.worldnet.att.net@house> Date: Mon,
 26 Mar 2001 20:19:56 +0000


I was considering modifying the system filter to use
 if $header_from: contains "@sexyfun.net" then
   if $return_path is "" then
     seen finish endif


   fail text "This message has been rejected since it has\n\
                 \tthe signature of a known virus in the header."
   seen finish
 endif


so that copies of the virus that have a null return path are
discarded. An updated version of the system_filter.exim file is
attached.

Is there a better way to stop these messages hitting the local
postmaster account?

Thanks in advance,

Douglas

# Exim filter
## Version: 0.10a

## If you haven't worked with exim filters before, read
## the install notes at the end of this file.

#
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have several delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
#
if not first_delivery
then
finish
endif

# Check for MS buffer overruns as per latest BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
# We substract the first n characters of the date header
# and test if its the same as the date header... which
# is a lousy way of checking if the date is longer than
# n chars long
if ${length_80:$header_date:} is not $header_date:
then
  fail text "This message has been rejected because it has\n\
         \tan overlength date field which can be used\n\
         \tto subvert Microsoft mail programs\n\
             \tThe following URL has further information\n\
         \thttp://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
  seen finish
endif


# This is a nasty compromise.
# This crud is now being sent with a <> envelope sender, but
# blocking all error messages that pattern match prevents
# bounces getting back.... so we fudge it somewhat
if $header_from: contains "@sexyfun.net"
then
  if $return_path is ""
  then
    seen finish
  endif


  fail text "This message has been rejected since it has\n\
        \tthe signature of a known virus in the header."
  seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
then
  # looks like a real error message - just ignore it
  finish
endif


# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header [vb2_regexp]
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))"
then
  fail text "This message has been rejected because it has\n\
         \ta potentially executable attachment $1\n\
         \tThis form of attachment has been used by\n\
             \trecent viruses such as that described in\n\
         \thttp://www.fsecure.com/v-descs/love.htm\n\
         \tIf you meant to send this file then please\n\
         \tpackage it up as a zip file and resend it."
  seen finish
endif


# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for 
# the ILOVEYOU virus and its variants
# [vb_regexp]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
then
  fail text "This message has been rejected because it has\n\
         \ta potentially executable attachment $1\n\
         \tThis form of attachment has been used by\n\
             \trecent viruses such as that described in\n\
         \thttp://www.fsecure.com/v-descs/love.htm\n\
         \tIf you meant to send this file then please\n\
         \tpackage it up as a zip file and resend it."
  seen finish
endif


#### Version history
#
# 0.01 5 May 2000
#    Initial release
# 0.02 8 May 2000
#    Widened list of content-types accepted, added WSF extension
# 0.03 8 May 2000
#    Embedded the install notes in for those that don't do manuals
# 0.04 9 May 2000
#    Check global content-type header.  Efficiency mods to REs
# 0.05 9 May 2000
#    More minor efficiency mods, doc changes
# 0.06 20 June 2000
#    Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
# 0.07 19 July 2000
#    Latest MS Outhouse bug catching
# 0.08 19 July 2000
#    Changed trigger length to 80 chars, fixed some spelling
# 0.09 29 September 2000
#    More extensions... its getting so we should just allow 2 or 3 through
# 0.10 18 January 2001
#    Removed exclusion for error messages - this is a little nasty
#    since it has other side effects, hence we do still exclude
#    on unix like error messages
# 0.10a 26 March 2001
#       Block sexyfun.net messages that have no return path from
#    hitting the postmaster.
#
#### Install Notes
#
# Exim filters run the exim filter language - a very primitive
# scripting language - in place of a user .forward file, or on
# a per system basis (on all messages passing through).
# The filtering capability is documented in the main set of manuals
# a copy of which can be found on the exim web site
#    http://www.exim.org/
#
# To install, copy the filter file (with appropriate permissions)
# to /etc/exim/system_filter.exim and add to your exim config file
# [location is installation depedant - typicaly /etc/exim/config ]
# at the top the line:-
#    message_filter = /etc/exim/system_filter.exim
#    message_body_visible = 5000
#
# Any message that matches the filter will then be bounced.
# If you wish you can change the error message by editing it
# in the section above - however be careful you don't break it.
#
# After install exim should be restarted - a kill -HUP to the
# daemon will do this.
#
#### LIMITATIONS
#
# This filter tries to parse MIME with a regexp... that doesn't
# work too well.  It will also only see the amount of the body
# specified in message_body_visible
#
#### BASIS
#
# The regexp that is used to pickup MIME/uuencoded parts is replicated
# below (in perl format).  You need to remember that exim converts
# newlines to spaces in the message_body variable.
#
#  (?:Content-                    # start of content header
#  (?:Type: (?>\s*)                # rest of c/t header
#    [\w-]+/[\w-]+                # content-type (any)
#    |Disposition: (?>\s*)            # content-disposition hdr
#    attachment)                    # content-disposition
#  ;(?>\s*)                    # ; space or newline
#  (?:file)?name=                # filename=/name= 
#  |begin (?>\s+) [0-7]{3,4} (?>\s+))         # begin octal-mode
#  (\"[^\"]+\.                    # quoted filename.
#    (?:vb[se]                # list of extns
#    |ws[fh]
#    |jse?
#    |exe
#    |com
#    |shs
#    |bat
#    |scr
#    |pif)
#    \"                    # end quote
#  |[\w.-]+\.                    # unquoted filename.ext
#    (?:vb[se]                # list of extns
#    |ws[fh]
#    |jse?
#    |exe
#    |com
#    |shs
#    |bat
#    |scr
#    |pif)
#  )                        # end of filename capture
#  [\s;]                    # trailing ;/space/newline
#
#
### [End]




--

================================
Douglas GRAY STEPHENS        
SL-IT Security (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND


Phone +44 1223 325295
Fax +44 1223 311830
Email DGrayStephens@???
================================