[Exim] Fail command in filters: no mail sent back to the sen…

Top Page
Delete this message
Reply to this message
Author: Gregory Heinrich
Date:  
To: exim-users
Subject: [Exim] Fail command in filters: no mail sent back to the sender ???
Hello,

I have installed an exim filter which was given as an example somewhere,
which purpose is to reject emails messages containing an executable
attachment, given a set of executable filte extensions. The filter is
supposed to send a email back to the sender with an error message.
As expected, an email containing executable attachment is not delivered to
the recipient, but no email is being sent back to the sender : the email is
sent to the postmaster instead of the sender.
What can I do to get the message to be sent to the sender?

I get this message in the exim mainlog:

----------
2001-07-21 16:15:20 15NxXM-0000CS-00 cancelled by message filter: This
message has been rejected because it has
        an apparently executable attachment "ap.bat"
        This form of attachment has been used by
        recent viruses such as that described in
        http://www.fsecure.com/v-descs/love.htm



        Ce message a ete rejete car il semble
        contenir un attachement executable : "ap.bat"
        Ce type d'attachement a ete utilise par de
        recents virii tels que celui decrit sur
        http://www.fsecure.com/v-descs/love.htm.
2001-07-21 16:15:20 15NxXM-0000CU-00 <= <> R=15NxXM-0000CS-00 U=mail P=local
S=51067
2001-07-21 16:15:20 15NxXM-0000CS-00 Error message sent to
postmaster@???
2001-07-21 16:15:20 15NxXM-0000CS-00 Completed
2001-07-21 16:15:20 15NxXM-0000CU-00 => admin <postmaster@???>
D=localuser T=local_delivery
2001-07-21 16:15:20 15NxXM-0000CU-00 Completed
--------



Here is the Exim Filter :

------
# Exim filter
# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for
# the ILOVEYOU virus and its variants
#
  if $message_body matches
"(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disposition:\\\\s*attachment);
\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vbs|vbe|ws
h|wsf|js|jse|exe|com|bat)\"|[\\\\w.-]+\\\\.(?:vbs|vbe|wsh|wsf|js|jse|exe|com
|bat))[\\\\s;]"
  then
    fail text "This message has been rejected because it has\n\
        \tan apparently executable attachment $1\n\
        \tThis form of attachment has been used by\n\
        \trecent viruses such as that described in\n\
        \thttp://www.fsecure.com/v-descs/love.htm\n\
        \n\n\tCe message a ete rejete car il semble\n\
        \tcontenir un attachement executable : $1\n\
        \tCe type d'attachement a ete utilise par de\n\
        \trecents virii tels que celui decrit sur\n\
        \thttp://www.fsecure.com/v-descs/love.htm."
    seen finish
  endif


-------