Re: [Exim] System message & transport filtering

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Odhiambo Washington
Datum:  
To: exim-users
CC: ccurtis
Betreff: Re: [Exim] System message & transport filtering
* Christopher Curtis <ccurtis@???> [20011012 16:51]: writing on the subject '[Exim] System message & transport filtering'
| Hello,
| 
| I'm a relative Exim newbie (it came with Debian) but Exim is an excellent
| package and I'd like to thank all the developers first off.
| 
| Now, my problem: I want to filter against worms/attachments.  A common
| scenario, yes, but I have a twist.  "Known" worms I outright deny, like
| SirCam.  The message blackholes and the sender is sent a message telling
| them how to clean up after themselves.
| 
| But I want to handle "Unknown" worms nicely - basically any executable
| attachment.  By nicely, I mean: send a warning email to the person getting
| the message, but don't do anything else.
| 
| I'm using the message_filter to run this filter snippet:
| 
| -------------------------------------------
| if $h_content-type matches "name=.*\\.(ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])"
| or
|    $h_content-disposition matches "name=.*\\.(ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])"
| or
|    $h_subject matches "(xxxxx[pd]|foofoofoo)"
| then
|   # We cannot do anything with the message from this filter because this
|   # is run pre-delivery.  Thus, there is no valid recipient at this point.
|   # This filter is run for incoming, outgoing, and relayed mail.
|   # Instead, we will add an X-Exim-Warning header to filter against later.
|   headers add "X-Exim-Warning: Executable Attachment"
| endif
| -------------------------------------------
| 
| Firstly, the RegEx fails for some unknown reason (not the greatest concern
| at this point) so I use the 'foofoofoo' path and add the Header.
| 
| Now, I am stuck.  What I DO NOT want to do is run a transport_filter for
| every single email to look for this added header.  The machine is an old
| PPro and really can't spare the cycles to filter every message.  Is there
| a way to setup exim to only run the filter if that header exists?
| 
| Or better, what I really want to do is sent am email to the user getting
| the message that says "DANGER!  You may be getting a virus right now!"  Is
| there any easy way out of my sticky wicket?


There is, yes but with the 'nice' way you wanna handle it, I bet it's better to go
have some beer and forget about filtering.
In the environment where I work, 99.98% user M$ Outlock and have no idea what the
'headers' mean. They just wouldn't see it. If it's in the Unix world, then the
executables are 'nothin' IMHO.

There was a list member who saved these attachments in a folder with the
recipient's name and sent out a mail to the recipient to contact him so
as to be given his attachment. Maybe you want that. You will get that in the
achives of this list.

Good luck.

-Wash

--
Odhiambo Washington
Wananchi Online Ltd.,
wash@??? 1st Flr Loita Hse.
Tel: 254 2 313985 Loita Street.,
Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE

You can't hold a man down without staying down with him.
        -- Booker T. Washington