[Exim] System filter with spaces in the file name

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Douglas Gray Stephens
Date:  
À: exim-users
Sujet: [Exim] System filter with spaces in the file name
Hi,

I've happened to have a dubious email cross my path, which I caused me
to check out blocking by system_filter.exim. The message had MIME
details
Content-type: audio/x-wav; name=XXX
where XXX was Code .scr

(I have use substitution to avoid this mail tripping any alarms.)

The system_filter.exim file has two sets of filters for the file
extension "scr", one for quoted file names, e.g.
name="Code .scr"
and the other for unquoted file names, e.g.
name=Code.scr

I accept that as the file has a space in it, it is not following the
MIME standards, however are there any MUAs out there that are likely
to take the file name to be
Code .scr
and so run the dubious attachement? (In this case the attachment had a
content-id, and was part of a text/html message.) If there are then we
need to consider how to modify the filter to handle this case. An
option would be to just look for spaces before the ".", so modifying
\\\\S+\\\\.
to be
\\\\S+ *\\\\.
in
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
and the equivalent test for single part messages.

I am slightly concerned that
http://www.exim.org/
states
Generic Windows Executable Content
this is no longer being maintained.
as I think that the file takes a very simple approach that has stopped
numereous organisations from being hit by numerous viruses.

What are other people's thoughts?


Douglas

--

================================
Douglas GRAY STEPHENS
Technical Architect (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND

Phone  +44 1223 325295
Mobile +44 773 0051628
Fax    +44 1223 311830
Email DGrayStephens@???
================================