Re: [Exim] System_filter not working right

Startseite
Nachricht löschen
Nachricht beantworten
Autor: George Szekely
Datum:  
To: Phil Brutsche
CC: exim-users
Betreff: Re: [Exim] System_filter not working right
--
[ Picked text/plain from multipart/alternative ]
>>I have same problem with my install. I picked up three *.exe files
>>(Exim 4.22) and usually all executable files gets rejected, these
>>were let through. You can see my filter here:
>>http://www.captainnet.net/misc/system_filter.txt
>
>Nigel's old system_filter script is no longer supported or updated and
>should not be used.
>
>The reason why it should not be used is that it generates a bounce
>message to the *forged* *sender* in the infected message and includes
>the virus in the bounce. In other words, system_filter is almost as
>efficent at spreading the virus as the virus itself. Not to mention the
>fact that you're spamming innocent third parties with bounces to
>messages they never sent.


Phil:
Thanks for your input. I kind of like Nigel's filter, but I also have
the following in my config: bounce_return_message = false -
therefore the original message is not included in bounce message
generated by Exim. I'm a little bit confused. What is the protocol.
How do you handle it?

I run Exim 4.22 that contains exiscan-acl patch revision 12. Content
filtering through data acls still sends out a bounce message. What I
didn't like about it is that it writes to the logs the entire
envelope header.

   # Reject typically wormish file extensions. There is almost no
   # sense in sending such files by email.
   # drop    message = Contains an unwanted file extension ($found_extension)
   #          demime = scr:com:vbs:bat:exe:lnk:pif


I'm wondering if this acl would have caught anything with .exe
extension regardles of content-type as opposed to my filter which
checks mime.

George

>As a data point: back when SoBig.F first broke out, Exim+Exiscan did a
>WONDERFUL job of stopping the virus itself. But what was a bigger pain
>than dealing with the virus was the HUNDREDES of bounces that were
>delivered into user's INBOXes, many of them containing a copy of the
>virus. The system_filter script was one of the biggest sources of these
>bounces.
>
>If you're interested in stopping Windows executables from being
>transmitted though your mail servers, I *strongly* recommend that you
>patch your Exim installs with Exiscan
>(http://duncanthrax.net/exiscan-acl) and use the content filtering
>capabilities Exim gains to reject the executables while the sending host
>still has the SMTP session open.
>
>--
>
>Phil Brutsche
>phil@???

--