[Exim] Filtering files with a trailing dot

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Exim Users
New-Topics: [Exim] Bouncing to wrong address?
Subject: [Exim] Filtering files with a trailing dot
For those who haven't already seen it, there's been an item on BugTraq
about bypassing ZoneAlarm MailSafe. Whilst that in itself probably
doesn't concern exim-users, there's an interesting point raised about
filtering for Windows.

Windows ignores a trailing dot on a filename. "foo.exe." is the same as
"foo.exe".


This is my M4 source for my personal machine's virus filter, based
originally upon Nigel's filter. It bears an uncanny resemblance to M4
source used elsewhere, since I M4-ised both, independently.

The securityfocus bypass is for a simple reason: if someone's reading
BugTraq, assume they know what they're doing. Enough past examples of
live attacks posted to the list have led to those who can be educated
being so educated, and not reading BugTraq from a Windows box.

gm4 == GNU m4, since OpenBSD's m4 didn't handle this at the time.

The trailing dnl-comment picking apart the regexp is a little dated.
I've added logging (at least, I don't think that was originally in
there). Neither postmaster@ nor abuse@ are filtered. This also blocks
files which are given as an "inline"-disposed MIME-part, not just
"attachment".

Hope this helps someone,

-----------------------------< cut here >-------------------------------
dnl Exim system filter file, in m4 format.
dnl $Id: system_filter.exim.m4,v 1.19 2002/04/03 01:40:09 root Exp $
dnl Does not pass most comments through to output - keep it smaller
dnl The "Exim filter" line MUST EXIST AND BE FIRST
dnl Run: gm4 <system_filter.exim.m4 >system_filter.exim
dnl
# Exim filter  -- don't delete this line
# File auto-generated from gnu-m4 src 'system_filter.exim.m4'
`#' Generated: syscmd(`date')dnl
# $Id: system_filter.exim.m4,v 1.19 2002/04/03 01:40:09 root Exp $
dnl
define(BLOCKEXTS,`vb[se]|ws[fh]|jse?|exe|com|bat|chm|cmd|pif|sh[bs]|hta|as[dx]|ad[ep]|md[abew]|dll|ocx|scr|[ew]ml|nws|lnk')dnl
define(BLOCKTEXT,
    `"This message has been rejected because it has an attachment\n\
    of a type which is known to be vulnerable to security\n\
    problems, such as holding exploit code for email-vectored\n\
    viruses and worms.\n\
    The attachment was called: $`'1\n\
    If you meant to send this file then please\n\
    package it up as a zip file and resend it."')dnl


if not first_delivery then finish endif

dnl Allow postmaster access
if $original_local_part is postmaster then finish endif
if $original_local_part is abuse then finish endif

dnl allow bugtraq exploits through - assume readers competent
if $sender_address_domain matches "securityfocus.com" then finish endif

logfile /var/log/exim/filter_log 0640

dnl Empty envelope first
if $header_from: contains "@sexyfun.net"
then
  fail text    "This message has been rejected since it has\n\
        the signature of a known virus in the header."
  seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
then
dnl looks like a real error message - just ignore it
  finish
endif


dnl Microsoft buffer overruns
if ${length_80:$header_date:} is not $header_date:
then
  fail text    "This message has been rejected because it has\n\
        an overlength date field which can be used\n\
        to subvert Microsoft mail programs\n\
        The following URL has further information\n\
 http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
  seen finish
endif


dnl Look for single part MIME messages with suspicious name extensions
dnl Check Content-Type header
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:BLOCKEXTS)(?:\\\\.)*\"|\\\\S+\\\\.(?:BLOCKEXTS)(?:\\\\.)*)"
then
logwrite "$`'tod_log Virus/hdr $`'message_id $`'1 <- $`'return_path"
fail text BLOCKTEXT
seen finish
endif

dnl Attempt to catch embedded VBS attachments
dnl in emails. These were used as the basis for
dnl the ILOVEYOU virus and its variants
dnl
if $message_body matches "(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disposition:\\\\s*(?:attachment|inline));\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:BLOCKEXTS)(?:\\\\.)*\"|\\\\S+\\\\.(?:BLOCKEXTS)(?:\\\\.)*)[\\\\s;]"
then
logwrite "$`'tod_log Virus/body $`'message_id $`'1 <- $`'return_path"
fail text BLOCKTEXT
seen finish
endif

dnl ### LIMITATIONS
dnl
dnl This filter tries to parse MIME with a regexp... that doesn't
dnl work too well.  It will also only see the amount of the body
dnl specified in message_body_visible
dnl
dnl ### BASIS
dnl
dnl The regexp that is used to pickup MIME/uuencoded parts is replicated
dnl below (in perl format).  You need to remember that exim converts
dnl newlines to spaces in the message_body variable.
dnl
dnl (?:Content-                    # start of content header
dnl  (?:Type: (?>\s*)                # rest of c/t header
dnl    [\w-]+/[\w-]+                # content-type (any)
dnl    |Disposition: (?>\s*)            # content-disposition hdr
dnl    attachment)                # content-disposition
dnl  ;(?>\s*)                    # ; space or newline
dnl  (?:file)?name=                # filename=/name=
dnl  |begin (?>\s+) [0-7]{3,4} (?>\s+))         # begin octal-mode
dnl  (\"[^\"]+\.                    # quoted filename.
dnl    (?:vb[se]                # list of extns
dnl    |ws[fh]
dnl    |jse?
dnl    |exe
dnl    |com
dnl    |bat)
dnl    \"                    # end quote
dnl  |[\w.-]+\.                    # unquoted filename.ext
dnl    (?:vb[se]                # list of extns
dnl    |ws[fh]
dnl    |jse?
dnl    |exe
dnl    |com
dnl    |bat)
dnl  )                        # end of filename capture
dnl  [\s;]                    # trailing ;/space/newline
dnl
### [End]
-----------------------------< cut here >-------------------------------
--
I pretend to work.  They pretend to pay me.