I am new to Exim and trying to help with fixing a filter. Been reading the
book and looking for any information on blocking viri. Here is what we have
come up with so far, but the problem seems to be in the last piece of the
code. It is blocking any text contained in the email message and
attachments, as well. Thank you for any help with this. Deanna
# Exim filter
if not first_delivery
then
finish
endif
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header using quoted filename
[content_type_quoted_fn_match]
if $header_content-type: matches
"(?:file)?name=<\"[^\"]+\\\\.(?:vb[se]|ws][fh]|jse?|exe|com|cmd|shs|hta|bat|
scr|lnk|pif)\")"
then
deliver possibleviri@??? errors_to root@???
finish
endif
#same again using unquoted filename [content_type_unquoted_fn_match]
if $header_Content-type matches
"(?:file)?name=(\\\\S+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr
|lnk|pif))?"
then
deliver possibleviri@??? errors_to root@???
finish
endif
if $header_Content-type matches "(multipart/mixed|application\octet-steam)"
then
if $header_Content-Disposition matches "(attachment|inline)"
then
if $message_body matches ".*ame(=|:).*\".*\.(vbs|wsf|exe)\""
then
delivery spam@??? errors_to root@???
finish
endif
endif
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.525 / Virus Database: 322 - Release Date: 10/9/2003
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.530 / Virus Database: 325 - Release Date: 10/22/2003
