Re: [exim] system_filter

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Marcin Krol, exim users
Subject: Re: [exim] system_filter


--On 26 October 2006 14:25:11 +0200 Marcin Krol <admin@???> wrote:

> Hello everyone,
>
> I'm an Exim newbie, so please don't get annoyed if issues I raise seem
> obvious to you. :-)
>
> I get some legitimate mail discarded by Exim system_filter and the only
> effect visible
> in logs is this:



It looks like the only items that are discarded without log entries are
these:

if $header_subject contains "rice"
then
unseen finish
endif

if $header_subject contains "rize"
then
unseen finish
endif


I think they're intended to reject "[Pp]ri[cz]e", but you already have
checks for those, which do log. These entries will discard a lot of
legitimate email, if you get email in English. There are over 500 english
words containing rice or rize!

<http://www.morewords.com/>

Best advice is to remove all those tests for simple strings in the subject
line.


>
> /var/log/exim/mainlog.1:2006-10-24 12:22:34 1GcJQR-000DuK-WD =>
> discarded (system filter)
> /var/log/exim/mainlog.1:2006-10-24 12:22:34 1GcJQR-000DuK-WD Completed
>
> A few attachments (Excel, Word files, etc) make the system filter
> discard the mail FROM
> this particular user and some other users, but without specifying any
> further reason or hint how
> to prevent this from happening. What's weird is that another account in
> the very same domain
> does not have this problem.
>
> How can I fix this behavior so the legitimate mail with attachments from
> the users gets through
>
> - or -
>
> ...at least get the reason why it is discarded recorded in the log?
>
>
>
> OS: FreeBSD 5.4, Exim: exim-4.42-1
>
>
> Contents of /etc/system_filter.exim file:
>
>
># Exim filter
>## Version: 0.17
>#       $Id: system_filter.exim,v 1.11 2001/09/19 11:27:56 nigel Exp $

>
>## Exim system filter to refuse potentially harmful payloads in
>## mail messages
>## (c) 2000-2001 Nigel Metheringham <nigel@???>
>##
>##     This program is free software; you can redistribute it and/or modify
>##    it under the terms of the GNU General Public License as published by
>##    the Free Software Foundation; either version 2 of the License, or
>##    (at your option) any later version.
>##
>##    This program is distributed in the hope that it will be useful,
>##    but WITHOUT ANY WARRANTY; without even the implied warranty of
>##    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>##    GNU General Public License for more details.
>##
>##    You should have received a copy of the GNU General Public License
>##    along with this program; if not, write to the Free Software
>##    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
> 02111-1307  USA
>## -A copy of the GNU General Public License is distributed with exim
> itself

>
>## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>## If you haven't worked with exim filters before, read
>## the install notes at the end of this file.
>## The install notes are not a replacement for the exim documentation
>## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
>
>## -----------------------------------------------------------------------
># Only run any of this stuff on the first pass through the
># filter - this is an optomisation for messages that get
># queued and have several delivery attempts
>#
># we express this in reverse so we can just bail out
># on inappropriate messages
>#
> if not first_delivery
> then
> finish
> endif
>
>## -----------------------------------------------------------------------
># Check for MS buffer overruns as per BUGTRAQ.
>#
> http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid
> %3D61
>
># This could happen in error messages, hence its placing
># here...
># We substract the first n characters of the date header
># and test if its the same as the date header... which
># is a lousy way of checking if the date is longer than
># n chars long
> if ${length_80:$header_date:} is not $header_date:
> then
>  fail text "This message has been rejected because it has\n\
>             an overlength date field which can be used\n\
>             to subvert Microsoft mail programs\n\
>             The following URL has further information\n\

>
> http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid
> %3D61"
>
> seen finish
> endif
>
>## -----------------------------------------------------------------------
># These messages are now being sent with a <> envelope sender, but
># blocking all error messages that pattern match prevents
># bounces getting back.... so we fudge it somewhat and check for known
># header signatures.  Other bounces are allowed through.
> if $header_from: contains "@sexyfun.net"
> then
>  fail text "This message has been rejected since it has\n\
>             the signature of a known virus in the header."
>  seen finish
> endif
> if error_message and $header_from: contains "Mailer-Daemon@"
> then
>  # looks like a real error message - just ignore it
>  finish
> endif
> if $header_subject contains "Prize"
> then
>    logfile /var/log/_spam.log
>    logwrite "Prize $message_id / $sender_address_domain"
>    seen finish
> endif
> if $header_subject contains "Price"
> then
>    logfile /var/log/_spam.log
>    logwrite "Price $message_id / $sender_address_domain"
>    seen finish
> endif

>
> if $header_subject contains "prize"
> then
>    logfile /var/log/_spam.log
>    logwrite "Prize $message_id / $sender_address_domain"
>    seen finish
> endif
> if $header_subject contains "price"
> then
>    logfile /var/log/_spam.log
>    logwrite "Price $message_id / $sender_address_domain"
>    seen finish
> endif

>
> if $header_from: contains "@fbi.gov"
> then
> fail text "Wiadomosc odrzucona."
> seen finish
> endif
>
>
>## -----------------------------------------------------------------------
># Look for single part MIME messages with suspicious name extensions
># Check Content-Type header using quoted filename
> [content_type_quoted_fn_match]
> if $header_content-type: matches
> "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp
> |hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[s
> e]|ws[fhc])\")"
>
> then
>  fail text "This message has been rejected because it has\n\
>             potentially executable content $1\n\
>             This form of attachment has been used by\n\
>             recent viruses or other malware.\n\
>             If you meant to send this file then please\n\
>             package it up as a zip file and resend it."
>  seen finish
> endif
># same again using unquoted filename [content_type_unquoted_fn_match]
> if $header_content-type: matches
> "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|h
> ta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]
> |ws[fhc]))"

>
> then
>  fail text "This message has been rejected because it has\n\
>             potentially executable content $1\n\
>             This form of attachment has been used by\n\
>             recent viruses or other malware.\n\
>             If you meant to send this file then please\n\
>             package it up as a zip file and resend it."
>  seen finish
> endif

>
>
>## -----------------------------------------------------------------------
># Attempt to catch embedded VBS attachments
># in emails. These were used as the basis for
># the ILOVEYOU virus and its variants - many many varients
># Quoted filename - [body_quoted_fn_match]
> if $message_body matches
> "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)a
> ttachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(
> \"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|
> jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\
> \\\s;]"
>
> then
>  fail text "This message has been rejected because it has\n\
>             a potentially executable attachment $1\n\
>             This form of attachment has been used by\n\
>             recent viruses or other malware.\n\
>             If you meant to send this file then please\n\
>             package it up as a zip file and resend it."
>  seen finish
> endif
># same again using unquoted filename [body_unquoted_fn_match]
> if $message_body matches
> "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)a
> ttachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(
> \\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|js
> e?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s
> ;]"

>
> then
>  fail text "This message has been rejected because it has\n\
>             a potentially executable attachment $1\n\
>             This form of attachment has been used by\n\
>             recent viruses or other malware.\n\
>             If you meant to send this file then please\n\
>             package it up as a zip file and resend it."
>  seen finish
> endif
>## -----------------------------------------------------------------------

>
> if $header_subject contains "Creator Duplicate"
> then
>    deliver g.danecki@???
>    deliver info@???
>    deliver $header_to:
> endif

>
> if $header_subject contains "rice"
> then
>    unseen finish
> endif

>
> if $header_subject contains "rize"
> then
>    unseen finish
> endif

>
> if $header_subject contains "*****SPAM*****"
> then
>    logfile /var/log/_spam.log
>    logwrite "+ Spamik jak ta lala z ID: $message_id, o wiele mowiacym
> tytule: $header_subject wyslany przez: $sender_address_domain / A FUJ!,
> wstydzcie sie!"
>    unseen finish
> endif

>
>#### Version history
>#
># 0.01 5 May 2000
>#       Initial release
># 0.02 8 May 2000
>#       Widened list of content-types accepted, added WSF extension
># 0.03 8 May 2000
>#       Embedded the install notes in for those that don't do manuals
># 0.04 9 May 2000
>#       Check global content-type header.  Efficiency mods to REs
># 0.05 9 May 2000
>#       More minor efficiency mods, doc changes
># 0.06 20 June 2000
>#       Added extension handling - thx to Douglas Gray Stephens & Jeff
> Carnahan
># 0.07 19 July 2000
>#       Latest MS Outhouse bug catching
># 0.08 19 July 2000
>#       Changed trigger length to 80 chars, fixed some spelling
># 0.09 29 September 2000
>#       More extensions... its getting so we should just allow 2 or 3
> through
># 0.10 18 January 2001
>#       Removed exclusion for error messages - this is a little nasty
>#       since it has other side effects, hence we do still exclude
>#       on unix like error messages
># 0.11 20 March, 2001
>#       Added CMD extension, tidied docs slightly, added RCS tag
>#       ** Missed changing version number at top of file :-(
># 0.12 10 May, 2001
>#       Added HTA extension
># 0.13 22 May, 2001
>#       Reformatted regexps and code to build them so that they are
>#       shorter than the limits on pre exim 3.20 filters.  This will
>#       make them significantly less efficient, but I am getting so
>#       many queries about this that requiring 3.2x appears unsupportable.
># 0.14 15 August,2001
>#       Added .lnk extension - most requested item :-)
>#       Reformatted everything so its now built from a set of short
>#       library files, cutting down on manual duplication.
>#       Changed \w in filename detection to . - dodges locale problems
>#       Explicit application of GPL after queries on license status
># 0.15 17 August, 2001
>#       Changed the . in filename detect to \S (stops it going mad)
># 0.16 19 September, 2001
>#       Pile of new extensions including the eml in current use
># 0.17 19 September, 2001
>#       Syntax fix
>#
>#### Install Notes
>#
># Exim filters run the exim filter language - a very primitive
># scripting language - in place of a user .forward file, or on
># a per system basis (on all messages passing through).
># The filtering capability is documented in the main set of manuals
># a copy of which can be found on the exim web site
>#       http://www.exim.org/
>#
># To install, copy the filter file (with appropriate permissions)
># to /etc/exim/system_filter.exim and add to your exim config file
># [location is installation depedant - typicaly /etc/exim/config ]
># in the first section the line:-
>#       message_filter = /etc/exim/system_filter.exim
>#       message_body_visible = 5000
>#
># You may also want to set the message_filter_user & message_filter_group
># options, but they default to the standard exim user and so can
># be left untouched.  The other message_filter_* options are only
># needed if you modify this to do other functions such as deliveries.
># The main exim documentation is quite thorough and so I see no need
># to expand it here...
>#
># Any message that matches the filter will then be bounced.
># If you wish you can change the error message by editing it
># in the section above - however be careful you don't break it.
>#
># After install exim should be restarted - a kill -HUP to the
># daemon will do this.
>#
>#### LIMITATIONS
>#
># This filter tries to parse MIME with a regexp... that doesn't
># work too well.  It will also only see the amount of the body
># specified in message_body_visible
>#
>#### BASIS
>#
># The regexp that is used to pickup MIME/uuencoded body parts with
># quoted filenames is replicated below (in perl format).
># You need to remember that exim converts newlines to spaces in
># the message_body variable.
>#
>#         (?:Content-                                   # start of
> content header
>#         (?:Type: (?>\s*)                              # rest of c/t
> header
>#           [\w-]+/[\w-]+                               # content-type
> (any)
>#           | Disposition: (?>\s*)                       #
> content-disposition hdr
>#           attachment)                                 #
> content-disposition
>#         ;(?>\s*)                                      # ; space or
> newline
>#         (?:file)?name=                                # filename=/name=
>#         | begin (?>\s+) [0-7]{3,4} (?>\s+))            # begin octal-mode
>#         (\"[^\"]+\.                                   # quoted filename.
>#               (?:ad[ep]                               # list of extns
>#               | ba[st]
>#               | chm
>#               | cmd
>#               | com
>#               | cpl
>#               | crt
>#               | eml
>#               | exe
>#               | hlp
>#               | hta
>#               | in[fs]
>#               | isp
>#               | jse?
>#               | lnk
>#               | md[be]
>#               | ms[cipt]
>#               | pcd
>#               | pif
>#               | reg
>#               | scr
>#               | sct
>#               | shs
>#               | url
>#               | vb[se]
>#               | ws[fhc])
>#         \"                                            # end quote
>#         )                                             # end of
> filename capture
>#         [\s;]                                         # trailing
> ;/space/newline

>
>#
>#
>### [End]
>
>
>
>
> =========================================================
>
> --
> Dział Techniczny
> Marcin Król
>
> Domeny, Hosting, Kolokacja, Certyfikaty SSL, Monitoring serwerów ...
> ------------------------------------------------------------------
> DOMENY.PL sp. z o.o. ul. Wielicka 50, 30-552 Kraków, Poland
> tel. +48(12)296 3663, info: +48 501 DOMENY
> fax. +48(12)296 3664, +48(22)3 987 365
> e-mail: pomoc@???, www: http://www.Domeny.pl
> ------------------------------------------------------------------
> Komunikator online/ Live Chat:
> http://live2.domeny.pl/request_email.php?l=phplive&x=1&deptid=2




--
Ian Eiloart
IT Services, University of Sussex