Re: [Exim] Logging of mails with attachment via system_filte…

Top Page
Delete this message
Reply to this message
Author: Jens Strohschnitter
Date:  
To: exim-users
Subject: Re: [Exim] Logging of mails with attachment via system_filter
> > is it possible to log all mails, that have attachments
> > to a seperate logfile, like blocking with system_filter ?
> >
> > For example all mails with attachment should be logged
> > in a file attachments.log that contains the informations:
> >
> > senderaddress
> > recipientaddress
> > attachment
>
> Do you need to know all attachments?? or are you just attempting to log
> certain types of attachments.
>
> If it is certain types, you could use exiscan-ACL and just make a rule
> that does a warn about anything that matches the type of attachment you
> want, and then do a simple grep of your logs for all the info you need.
>
> Same as I do now for blocking attachments... All the info is already in
> the logs...
>
> DENY ATTACHMENT                        14
>    EXE ATTACHMENT                      13
>    COM ATTACHMENT                       0
>    PIF ATTACHMENT                       0
>    SCR ATTACHMENT                       1

>
> The same way I grep this you could grep out the other info you are looking
> for...


>

Hi

I've found a way to log the attachments, but only those, were the suffix has
3 letters like .xls, .exe ... but not those like .vb or .x (2 or only 1 letter)

My system_filter entry looks like:

if $received_protocol is not "scanned-ok" and $received_protocol is not "spam-scanned" and $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:[...])\")[\\\\s;]"
#               ^^^


then
  logfile /var/log/exim/attachments.log 0644
  logwrite "$tod_log $message_id has attachment                 : ($1)"
  logwrite "$tod_log subject                                    : $rheader_subject"
  logwrite "$tod_log recipients                                 : $recipients"
  logwrite "$tod_log return path                                : $return_path"
  logwrite "--------------------------------------------------------------------------------------------"
seen
endif


But when I replace [...] with [*] nothing will be logged to the given file. Only with [...] it works.
What regular epression should be used to make it work with suffixes like .x and .xx and .xxx ?



--
Regards,

     Jens Strohschnitter


-------------------------------------
*!!!LINUX LINUX LINUX LINUX LINUX!!!*

* http://www.jens-strohschnitter.de *
-------------------------------------
Set the controls for
         the heart of the sun
-------------------------------------