Re: [Exim] FW: System Filter help

Inizio della pagina
Delete this message
Reply to this message
Autore: Nigel Metheringham
Data:  
To: Deanna Neider
CC: exim-users
Oggetto: Re: [Exim] FW: System Filter help
On Wed, 2003-10-29 at 00:51, Deanna Neider wrote:
> I am new to Exim and trying to help with fixing a filter. Been reading the
> book and looking for any information on blocking viri.


You need to be aware that its probably impossible to effectively parse
MIME with regular expressions - there are too many ways of causing both
false positives and false negatives that you just cannot handle with
grouped regular expressions.

It would be much better and safer to use exiscan's facilities for
looking at MIME subpart file names.

> Here is what we have
> come up with so far, but the problem seems to be in the last piece of the
> code. It is blocking any text contained in the email message and
> attachments, as well. Thank you for any help with this. Deanna


> # Exim filter
> if not first_delivery
> then
> finish
> endif
>
> # Look for single part MIME messages with suspicious name extensions
> # Check Content-Type header using quoted filename
> [content_type_quoted_fn_match]


thats wrapped - it also gives away where you took the orignal code from
:-)

> if $header_content-type: matches
> "(?:file)?name=<\"[^\"]+\\\\.(?:vb[se]|ws][fh]|jse?|exe|com|cmd|shs|hta|bat|
> scr|lnk|pif)\")"
> then
>     deliver possibleviri@??? errors_to root@???
>     finish
> endif
> #same again using unquoted filename [content_type_unquoted_fn_match]
> if $header_Content-type matches
> "(?:file)?name=(\\\\S+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr
> |lnk|pif))?"
> then
>     deliver possibleviri@??? errors_to root@???
>     finish
> endif
> if $header_Content-type matches "(multipart/mixed|application\octet-steam)"


Theres a backslash in there rather than a forward slash -
application/octet-steam

> then
> if $header_Content-Disposition matches "(attachment|inline)"
> then


So this part is run if its some form of multipart of binary MIME message
- thats probably most messages in places that use HTML.

>      if $message_body matches ".*ame(=|:).*\".*\.(vbs|wsf|exe)\""


That regexp collapses to "ame[=:].*\".*\.(vbs|wsf|exe)\""
which probably would have a serious number of false positives.
The .* after the name phrase should be a \s* probably - it wants to be a
white space set not an anything match, expecially in the body where line
ends are translated.

>     then
>       delivery spam@??? errors_to root@???


mispelt deliver

>       finish
>     endif
>   endif


missing endif

Delivering the potential viruses to a user seems strange - it loses a
load of envelope information.


Seriously, don't fix this, but instead integrate exiscan possibly with a
real virus scanner. You cannot effectively fix the problem with a
regexp based system filter.

    Nigel.


--
[ Nigel Metheringham           Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]