RE: [exim] Opposite to $sender_address.

Hi,

Two notes here, you are denying file extensions, would better option to be just accept certain file extensions. Like you seem to be happy to accept jpg & gif & doc & dot for example?

Another note, changing file extension for mail transfer is easy (rename *.exe to *.ex_). File Id field (=file magic number) is harder to change (because you need to change it back at receiving side for the file to be usable), so probably you should scan it? So I ask should Exim have $filemagic variable (sorry if there already is)?

With File ID-field I mean first bytes in actual file:
- Windows executable starts with MZ
- ZIP files with PK etc.
- PDF files with %PDF

URL to file magic: http://www.astro.keele.ac.uk/oldusers/rno/Computing/File_magic.html

Naturally this file magic is easy to read from MIME base64 without decoding the whole file. Just take minimum of 3 base64-chars and convert them to binary with 2 bytes. Then compare 2 bytes to a table, if more base64-decoding is done, fine, read more from input and add it to resolved magic number.

Eventually you see that if magic is "ff d8 ff e0" it is a JPEG file, and it should ok. If magic is "4D 5A" but extension is .jpg, it is most probably executable file with extension falsified. And on the message it might read "rename *.jpg to *.exe" and run this for a nice game.

It is harder to make instructions that open file in hex editor, change first four bytes to 4D5A0000 and change extension to *.exe and run it for good show.

Naturally this is not 100% proof but an idea..

Best regards,
Jori

-----Original Message-----
From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On Behalf Of Brent Clark
Sent: 20. helmikuuta 2006 17:10
To: exim-users@???
Subject: [exim] Opposite to $sender_address.

Hi all

In my exim log file I have the follwing entries


2006-02-20 15:52:56 1FBBT6-0003M3-0s H=ctb-mesg7.saix.net [196.25.240.77] F=<debbie@???> rejected during MIME ACL checks: REJECTED ATTACHMENT (bmp)

What I was hoping to achieve is that the messge as well as the rcpt to address will appear.
e.g. REJECTED ATTACHMENT (bmp) (rcpt is: bclark@???)

My acl is like so.

acl_check_mime:
# File extension filtering.
deny   set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
message  = This message contains a prohibited file extension ($acl_m1)\n\
log_message     = REJECTED ATTACHMENT ($acl_m1)
condition       = ${if match{$acl_m1}{\N^(avi|asf|ade|adp|asx|asp|arj|\
                                         bat|bin|btm|bas|bmp|\
                                         cpl|com|cmd|class|cab|chm|crt|\
                                         dll|\
                                         exe|\
                                         gz|\
                                         hta|hlp|hiv|htm|html\
                                         inf|ins|isp|\
                                         js|jse|java|jtd|\
                                         mpeg|mp3|mpg|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|\
                                         ole|ocx|oft|ovl|ops|\
                                         prf|plx|pcd|prf|pub|pif|pl|php|pst|\
                                         reg|\
                                         shs|scr|sh|sys|shb|scf|sct|shtml|\
                                         tar|\
                                         rar|\
                                         url|\
                                         vb|vbs|vbe|vxd|vss|vst|vob|\
                                         wav|wmf|wsc|wma|wsh|ws|wsf|wmd|wmv|wmz|pps|zip|ppt\
                                         )$\N}{1}{0}}

I need the variable that is the opposite to $sender_address.

If anyone could assist me, I would be most grateful.

Kind Regards

Brent Clark

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/