This is what I'm doing with logging and stripping executables/
# Viruses and Executable Attachments
if $h_subject: contains "Seven Dwarfs"
or $message_body matches
"(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disposition:\\\\s*attachment);\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vbs|vbe|wsh|wsf|js|jse|exe|com|bat|lnk|pif|scr)\"|[\\\\w.-]+\\\\.(?:vbs|vbe|wsh|wsf|js|jse|exe|com|bat|lnk|pif|scr))[\\\\s;]"
then
headers add "X-Virus: [VIRUS] - ${substr_0_60:$0}"
headers add "X-Spam: [SPAM] - Virus"
mail
to "$h_to:"
cc "$h_from:"
# bcc "marc@???"
from "$h_from:"
subject "[VIRUS] $0"
text "This is an automatically generated email message. This email system\n\
does not permit sending windows executable files to our users because the\n\
vast majority of them are viruses.\n\n\
To: $h_return-path: If you are the sender of this message\n\
[$h_from:] and you did not intend to send a windows executable program to\n\
[$h_envelope-to:] then it is possible your computer is infected with a virus.\n\n\
Executable Attachment: \n\n $0\n\n\
To: $h_to: You were just sent an executable program that is most likely \
a virus.\n\nThe message headers had this information:\n\n\
$message_headers:\n\n\
If this attachment was really a program that you want, and not a virus,\n\
please have the sender resend the program inside of a ZIP file.\n\n\
If you have any questions about virus filtering please contact marc@???\n\
for further assistance."
save /var/mail/viruses
fail "\n===== WARNING! WARNING! WARNING! - POSSIBLE VIRUS! - ALERT! =====\n\n\
We do not accept email with executable attachments! \
You attempted to send the executable file:\n\n[$0]\n\nIf you didn't intend to send \
this executable file, you may have a VIRUS! If so - please run anti-virus software on \
your system immediately to prevent damage to your system and prevent you from \
infecting other computers. If you need to send executables - please put them \
inside a ZIP file.\n"
Juha Saarinen wrote:
> I'm pleased to see that the generic message filter is picking up a lot of
> VBS nasties.
>
> However, these events are only being logged in exim_mainlog. Is there a
> way to have them logged in exim_rejectlog as well?
>
> --
> Juha
> Take off every sig!
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##