[Exim] Only partial System Filtering of exe attachments

Top Page
Delete this message
Reply to this message
Author: wvaughan
Date:  
To: exim-users
Subject: [Exim] Only partial System Filtering of exe attachments
What am I missing from using the system_filter to stop all exe attachments?
First is a bounced message, however the second header listing is one that
still gets through all the time...

[Note I had to change exe to axe in order to send to this mailing list]

Do I have to duplicate the search for executable content to also look at
something else?

*********************
Correctly bounced header
*********************
------ This is a copy of the message, including all the headers. ------

Return-path: <wvaughan@???>
Received: from [166.82.96.28] (helo=steelerubber.com)
        by cadillac.steelerubber.com with esmtp (Exim 4.04)
        id 17HPMW-0000YA-00
        for wvaughan@???; Mon, 10 Jun 2002 09:37:36 -0400
Message-ID: <3D04ABE5.2CA13776@???>
Date: Mon, 10 Jun 2002 09:38:45 -0400
From: wvaughan <wvaughan@???>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Walter Vaughan <wvaughan@???>
Subject: test
Content-Type: multipart/mixed;
 boundary="------------5AF2B6461D5F24A7066B54CF"


This is a multi-part message in MIME format.
--------------5AF2B6461D5F24A7066B54CF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

test
--------------5AF2B6461D5F24A7066B54CF
Content-Type: application/octet-stream;
name="Copy.cpuinfo[1].axe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Copy.cpuinfo[1].axe"

*****************
Yet it won't bounce messages like this
*****************
Return-path: <carolann@???>
Envelope-to: wvaughan@???
Delivery-date: Mon, 10 Jun 2002 08:47:41 -0400
Received: from out002pub.verizon.net ([206.46.170.141] helo=out002.verizon.net)
        by cadillac.steelerubber.com with esmtp (Exim 4.04)
        id 17HOaB-0000UI-00
        for wvaughan@???; Mon, 10 Jun 2002 08:47:39 -0400
Received: from Rsgi ([209.209.179.126]) by out002.verizon.net
          (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
          id <20020610124636.RLRZ28968.out002.verizon.net@Rsgi>
          for <wvaughan@???>; Mon, 10 Jun 2002 07:46:36 -0500
From: carolann <carolann@???>
To: wvaughan@???
Subject: Worm Klez.E immunity
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary=YbpXikil7936b25O4LcC6j5hye7kQu
Message-Id: <20020610124636.RLRZ28968.out002.verizon.net@Rsgi>
Date: Mon, 10 Jun 2002 07:46:38 -0500
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: oY8!!2dj!!`f)"!XbH"!


--YbpXikil7936b25O4LcC6j5hye7kQu
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>Klez.E is the most common world-wide spreading worm.It's very dangerous by
corrupting your files.<br>
Because of its very smart stealth and anti-anti-virus technic,most common AV
software can't detect or clean it.<br>
We developed this free immunity tool to defeat the malicious virus.<br>
You only need to run this tool once,and then Klez will never come into your
PC.<br>
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV
monitor maybe cry when you run it.<br>
If so,Ignore the warning,and select 'continue'.<br>
If you have any question,please <a href=3Dmailto:carolann@mostreferred.com>mail
to me</a>.</FONT></BODY></HTML>

--YbpXikil7936b25O4LcC6j5hye7kQu
Content-Type: application/octet-stream;
        name=freegamesweb.ingava[1].axe
Content-Transfer-Encoding: base64
Content-ID: <Jj8O2xVTf16lR5854>