[Exim] Detect Prohibited filetypes inside zip files?

Top Page
Delete this message
Reply to this message
Author: Kevin Reed
Date:  
To: exiscanusers
CC: exim-users
Subject: [Exim] Detect Prohibited filetypes inside zip files?
The following is a simple ksh script along with a rule that I used
to block exe, pif, com, cmd and bat files with that arrive in zip
files. This could be extended of course.. but these were my
primary extensions I wanted to block.

It requires Exiscan-ACL but not the Beta version.

I tested this with Exim 4.30 Exiscan-ACL-14

Andrew D said:
> Kevin Reed said:
>> Eli said:
> -snip--
>>
>> Okay... I've got a ksh script that when I run it separately works
> great... It gets the right directory, finds the right zip file(s) and
> checks them the way I want them to.
>
> I don't spose you could give us a squizz at it :)


#!/usr/bin/ksh
###############################################################
# Locates an zip file and looks for extensions that end in
# .exe .pif .com .cmd and .bat
###############################################################
# Location of files
###############################################################
SCANDIR='/usr/spool/exim/scan'
UNZIP='/usr/local/bin/unzip'
###############################################################
cd ${SCANDIR}/$1
for i in `ls | egrep -i *.zip`
do
 if [ `$UNZIP -l $i | egrep -i '(.exe$|.com$|.cmd$|.pif$|.bat$)' | wc -l`
-gt 0 ];
 then
    exit 1
 fi
done
exit 0


>>
>> If it is sucessful (no file that is not allowed) it using exit 0
> otherwise it using exit 1.


I've used the following rule:

deny    log_message = DENY: ZIP with Binary Attachment found
        message = DENY: We don't allow Binary files in Zip files \n \
          If you have questions please contact postmaster@$qualify_domain
        demime = zip
        condition = ${run\
                  {/usr/local/exim/bin/check_zip $message_id}\
                  {0}{1}}


I don't get a chance to do much shell scripting now days and would welcome
improvements... but this seems to work pretty good.

I need to change the notices in them as it really doesn't properly say
what is being blocked but it works for now.

Thanks to Eli last night for giving some good hints on what needed to be
done.

--
Kevin W. Reed - TNET Services, Inc.
Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums