Re: [exim] system_filter

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Marcin Krol
Datum:  
To: exim users
Betreff: Re: [exim] system_filter
Hello.

Edward St Pierre napisał(a):
> Firstly I would say if you have a problem with it, do not discard the
> messages, have them delivered to a central mailbox.
> And obviously write as much as you can to a log for every stage of
> your filter.


Thanks for reply and it's a good suggestion indeed - the question is,
how do I do that?

I'd love to try that (found some info on exim filtering already), but
it's a production server with several hundred users
active on it and it's not like I'm in position to do much of
experimenting. :-(

>
> Then when you have found one that is getting caught by the filter test
> the filter with that message using exim *-bF
> *


OK, thanks

> *
> *
>
> On 26/10/06, *Marcin Krol* <admin@??? <mailto:admin@domeny.pl>>
> wrote:
>
>     Hello everyone,

>
>     I'm an Exim newbie, so please don't get annoyed if issues I raise seem
>     obvious to you. :-)

>
>     I get some legitimate mail discarded by Exim system_filter and the
>     only
>     effect visible
>     in logs is this:

>
>
>     /var/log/exim/mainlog.1:2006-10-24 12:22:34 1GcJQR-000DuK-WD =>
>     discarded (system filter)
>     /var/log/exim/mainlog.1:2006-10-24 12:22:34 1GcJQR-000DuK-WD Completed

>
>     A few attachments (Excel, Word files, etc) make the system filter
>     discard the mail FROM
>     this particular user and some other users, but without specifying any
>     further reason or hint how
>     to prevent this from happening. What's weird is that another
>     account in
>     the very same domain
>     does not have this problem.

>
>     How can I fix this behavior so the legitimate mail with
>     attachments from
>     the users gets through

>
>     - or -

>
>     ...at least get the reason why it is discarded recorded in the log?

>
>
>
>     OS: FreeBSD 5.4, Exim: exim-4.42-1

>
>
>     Contents of /etc/system_filter.exim file:

>
>
>     # Exim filter
>     ## Version: 0.17
>     #       $Id: system_filter.exim,v 1.11 2001/09/19 11:27:56 nigel
>     Exp $

>
>     ## Exim system filter to refuse potentially harmful payloads in
>     ## mail messages
>     ## (c) 2000-2001 Nigel Metheringham <nigel@???
>     <mailto:nigel@exim.org>>
>     ##
>     ##     This program is free software; you can redistribute it
>     and/or modify
>     ##    it under the terms of the GNU General Public License as
>     published by
>     ##    the Free Software Foundation; either version 2 of the
>     License, or
>     ##    (at your option) any later version.
>     ##
>     ##    This program is distributed in the hope that it will be useful,
>     ##    but WITHOUT ANY WARRANTY; without even the implied warranty of
>     ##    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>     ##    GNU General Public License for more details.
>     ##
>     ##    You should have received a copy of the GNU General Public
>     License
>     ##    along with this program; if not, write to the Free Software
>     ##    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
>     02111-1307  USA
>     ## -A copy of the GNU General Public License is distributed with exim
>     itself

>
>     ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>     ## If you haven't worked with exim filters before, read
>     ## the install notes at the end of this file.
>     ## The install notes are not a replacement for the exim documentation
>     ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

>
>
>     ##
>     -----------------------------------------------------------------------
>     # Only run any of this stuff on the first pass through the
>     # filter - this is an optomisation for messages that get
>     # queued and have several delivery attempts
>     #
>     # we express this in reverse so we can just bail out
>     # on inappropriate messages
>     #
>     if not first_delivery
>     then
>     finish
>     endif

>
>     ##
>     -----------------------------------------------------------------------

>
>     # Check for MS buffer overruns as per BUGTRAQ.
>     #
>     http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
>     <http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61>

>
>     # This could happen in error messages, hence its placing
>     # here...
>     # We substract the first n characters of the date header
>     # and test if its the same as the date header... which
>     # is a lousy way of checking if the date is longer than
>     # n chars long
>     if ${length_80:$header_date:} is not $header_date:
>     then
>     fail text "This message has been rejected because it has\n\
>                 an overlength date field which can be used\n\
>                 to subvert Microsoft mail programs\n\
>                 The following URL has further information\n\

>
>     http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
>     <http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61>"

>
>     seen finish
>     endif

>
>     ##
>     -----------------------------------------------------------------------
>     # These messages are now being sent with a <> envelope sender, but
>     # blocking all error messages that pattern match prevents
>     # bounces getting back.... so we fudge it somewhat and check for known
>     # header signatures.  Other bounces are allowed through.
>     if $header_from: contains "@sexyfun.net <http://sexyfun.net>"
>     then
>     fail text "This message has been rejected since it has\n\
>                 the signature of a known virus in the header."
>     seen finish
>     endif
>     if error_message and $header_from: contains "Mailer-Daemon@"
>     then
>     # looks like a real error message - just ignore it
>     finish
>     endif
>     if $header_subject contains "Prize"
>     then
>        logfile /var/log/_spam.log
>        logwrite "Prize $message_id / $sender_address_domain"
>        seen finish
>     endif
>     if $header_subject contains "Price"
>     then
>        logfile /var/log/_spam.log
>        logwrite "Price $message_id / $sender_address_domain"
>        seen finish
>     endif

>
>     if $header_subject contains "prize"
>     then
>        logfile /var/log/_spam.log
>        logwrite "Prize $message_id / $sender_address_domain"
>        seen finish
>     endif
>     if $header_subject contains "price"
>     then
>        logfile /var/log/_spam.log
>        logwrite "Price $message_id / $sender_address_domain"
>        seen finish
>     endif

>
>     if $header_from: contains "@fbi.gov <http://fbi.gov>"
>     then
>     fail text "Wiadomosc odrzucona."
>     seen finish
>     endif

>
>
>     ##
>     -----------------------------------------------------------------------
>     # Look for single part MIME messages with suspicious name extensions
>     # Check Content-Type header using quoted filename
>     [content_type_quoted_fn_match]
>     if $header_content-type: matches
>     "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"

>
>
>     then
>     fail text "This message has been rejected because it has\n\
>                 potentially executable content $1\n\
>                 This form of attachment has been used by\n\
>                 recent viruses or other malware.\n\
>                 If you meant to send this file then please\n\
>                 package it up as a zip file and resend it."
>     seen finish
>     endif
>     # same again using unquoted filename [content_type_unquoted_fn_match]
>     if $header_content-type: matches
>     "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"

>
>     then
>     fail text "This message has been rejected because it has\n\
>                 potentially executable content $1\n\
>                 This form of attachment has been used by\n\
>                 recent viruses or other malware.\n\
>                 If you meant to send this file then please\n\
>                 package it up as a zip file and resend it."
>     seen finish
>     endif

>
>
>     ##
>     -----------------------------------------------------------------------

>
>     # Attempt to catch embedded VBS attachments
>     # in emails.   These were used as the basis for
>     # the ILOVEYOU virus and its variants - many many varients
>     # Quoted filename - [body_quoted_fn_match]
>     if $message_body matches
>     "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"

>
>
>     then
>     fail text "This message has been rejected because it has\n\
>                 a potentially executable attachment $1\n\
>                 This form of attachment has been used by\n\
>                 recent viruses or other malware.\n\
>                 If you meant to send this file then please\n\
>                 package it up as a zip file and resend it."
>     seen finish
>     endif
>     # same again using unquoted filename [body_unquoted_fn_match]
>     if $message_body matches
>     "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"

>
>
>     then
>     fail text "This message has been rejected because it has\n\
>                 a potentially executable attachment $1\n\
>                 This form of attachment has been used by\n\
>                 recent viruses or other malware.\n\
>                 If you meant to send this file then please\n\
>                 package it up as a zip file and resend it."
>     seen finish
>     endif
>     ##
>     -----------------------------------------------------------------------

>
>
>     if $header_subject contains "Creator Duplicate"
>     then
>        deliver g.danecki@??? <mailto:g.danecki@gmail.com>
>        deliver info@??? <mailto:info@domeny.pl>
>        deliver $header_to:
>     endif

>
>     if $header_subject contains "rice"
>     then
>        unseen finish
>     endif

>
>     if $header_subject contains "rize"
>     then
>        unseen finish
>     endif

>
>     if $header_subject contains "*****SPAM*****"
>     then
>        logfile /var/log/_spam.log
>        logwrite "+ Spamik jak ta lala z ID: $message_id, o wiele mowiacym
>     tytule: $header_subject wyslany przez: $sender_address_domain / A
>     FUJ!,
>     wstydzcie sie!"
>        unseen finish
>     endif

>
>     #### Version history
>     #
>     # 0.01 5 May 2000
>     #       Initial release
>     # 0.02 8 May 2000
>     #       Widened list of content-types accepted, added WSF extension
>     # 0.03 8 May 2000
>     #       Embedded the install notes in for those that don't do manuals
>     # 0.04 9 May 2000
>     #       Check global content-type header.  Efficiency mods to REs
>     # 0.05 9 May 2000
>     #       More minor efficiency mods, doc changes
>     # 0.06 20 June 2000
>     #       Added extension handling - thx to Douglas Gray Stephens & Jeff
>     Carnahan
>     # 0.07 19 July 2000
>     #       Latest MS Outhouse bug catching
>     # 0.08 19 July 2000
>     #       Changed trigger length to 80 chars, fixed some spelling
>     # 0.09 29 September 2000
>     #       More extensions... its getting so we should just allow 2 or 3
>     through
>     # 0.10 18 January 2001
>     #       Removed exclusion for error messages - this is a little nasty
>     #       since it has other side effects, hence we do still exclude
>     #       on unix like error messages
>     # 0.11 20 March, 2001
>     #       Added CMD extension, tidied docs slightly, added RCS tag
>     #       ** Missed changing version number at top of file :-(
>     # 0.12 10 May, 2001
>     #       Added HTA extension
>     # 0.13 22 May, 2001
>     #       Reformatted regexps and code to build them so that they are
>     #       shorter than the limits on pre exim 3.20 filters.  This will
>     #       make them significantly less efficient, but I am getting so
>     #       many queries about this that requiring 3.2x appears
>     unsupportable.
>     # 0.14 15 August,2001
>     #       Added .lnk extension - most requested item :-)
>     #       Reformatted everything so its now built from a set of short
>     #       library files, cutting down on manual duplication.
>     #       Changed \w in filename detection to . - dodges locale problems
>     #       Explicit application of GPL after queries on license status
>     # 0.15 17 August, 2001
>     #       Changed the . in filename detect to \S (stops it going mad)
>     # 0.16 19 September, 2001
>     #       Pile of new extensions including the eml in current use
>     # 0.17 19 September, 2001
>     #       Syntax fix
>     #
>     #### Install Notes
>     #
>     # Exim filters run the exim filter language - a very primitive
>     # scripting language - in place of a user .forward file, or on
>     # a per system basis (on all messages passing through).
>     # The filtering capability is documented in the main set of manuals
>     # a copy of which can be found on the exim web site
>     #       http://www.exim.org/
>     #
>     # To install, copy the filter file (with appropriate permissions)
>     # to /etc/exim/system_filter.exim and add to your exim config file
>     # [location is installation depedant - typicaly /etc/exim/config ]
>     # in the first section the line:-
>     #       message_filter = /etc/exim/system_filter.exim
>     #       message_body_visible = 5000
>     #
>     # You may also want to set the message_filter_user &
>     message_filter_group
>     # options, but they default to the standard exim user and so can
>     # be left untouched.  The other message_filter_* options are only
>     # needed if you modify this to do other functions such as deliveries.
>     # The main exim documentation is quite thorough and so I see no need
>     # to expand it here...
>     #
>     # Any message that matches the filter will then be bounced.
>     # If you wish you can change the error message by editing it
>     # in the section above - however be careful you don't break it.
>     #
>     # After install exim should be restarted - a kill -HUP to the
>     # daemon will do this.
>     #
>     #### LIMITATIONS
>     #
>     # This filter tries to parse MIME with a regexp... that doesn't
>     # work too well.  It will also only see the amount of the body
>     # specified in message_body_visible
>     #
>     #### BASIS
>     #
>     # The regexp that is used to pickup MIME/uuencoded body parts with
>     # quoted filenames is replicated below (in perl format).
>     # You need to remember that exim converts newlines to spaces in
>     # the message_body variable.
>     #
>     #         (?:Content-                                   # start of
>     content header
>     #         (?:Type: (?>\s*)                              # rest of c/t
>     header
>     #           [\w-]+/[\w-]+                               #
>     content-type
>     (any)
>     #           |Disposition: (?>\s*)                       #
>     content-disposition hdr
>     #           attachment)                                 #
>     content-disposition
>     #         ;(?>\s*)                                      # ; space or
>     newline
>     #         (?:file)?name=                                #
>     filename=/name=
>     #         |begin (?>\s+) [0-7]{3,4} (?>\s+))            # begin
>     octal-mode
>     #         (\"[^\"]+\.                                   # quoted
>     filename.
>     #               (?:ad[ep]                               # list of
>     extns
>     #               |ba[st]
>     #               |chm
>     #               |cmd
>     #               |com
>     #               |cpl
>     #               |crt
>     #               |eml
>     #               |exe
>     #               |hlp
>     #               |hta
>     #               |in[fs]
>     #               |isp
>     #               |jse?
>     #               |lnk
>     #               |md[be]
>     #               |ms[cipt]
>     #               |pcd
>     #               |pif
>     #               |reg
>     #               |scr
>     #               |sct
>     #               |shs
>     #               |url
>     #               |vb[se]
>     #               |ws[fhc])
>     #         \"                                            # end quote
>     #         )                                             # end of
>     filename capture
>     #         [\s;]                                         # trailing
>     ;/space/newline

>
>     #
>     #
>     ### [End]

>
>
>
>
>     =========================================================

>
>     --
>     Dział Techniczny
>     Marcin Król

>
>     Domeny, Hosting, Kolokacja, Certyfikaty SSL, Monitoring serwerów ...
>     ------------------------------------------------------------------
>     DOMENY.PL sp. z o.o. ul. Wielicka 50, 30-552 Kraków, Poland
>     tel. +48(12)296 3663, info: +48 501 DOMENY
>     fax. +48(12)296 3664, +48(22)3 987 365
>     e-mail: pomoc@??? <mailto:pomoc@Domeny.pl>, www:
>     http://www.Domeny.pl
>     ------------------------------------------------------------------
>     Komunikator online/ Live Chat:
>     http://live2.domeny.pl/request_email.php?l=phplive&x=1&deptid=2
>     <http://live2.domeny.pl/request_email.php?l=phplive&x=1&deptid=2>

>
>
>
>     --
>     ## List details at http://www.exim.org/mailman/listinfo/exim-users
>     ## Exim details at http://www.exim.org/
>     ## Please use the Wiki with this list -
>     http://www.exim.org/eximwiki/ <http://www.exim.org/eximwiki/>

>
>



--
Dział Techniczny
Marcin Król

Domeny, Hosting, Kolokacja, Certyfikaty SSL, Monitoring serwerów ...
------------------------------------------------------------------
DOMENY.PL sp. z o.o. ul. Wielicka 50, 30-552 Kraków, Poland
tel. +48(12)296 3663, info: +48 501 DOMENY
fax. +48(12)296 3664, +48(22)3 987 365
e-mail: pomoc@???, www: http://www.Domeny.pl
------------------------------------------------------------------
Komunikator online/ Live Chat:
http://live2.domeny.pl/request_email.php?l=phplive&x=1&deptid=2