experimenting. :-(
> *
> *
>
> On 26/10/06, *Marcin Krol* <admin@??? <mailto:admin@domeny.pl>>
> wrote:
>
> Hello everyone,
>
> I'm an Exim newbie, so please don't get annoyed if issues I raise seem
> obvious to you. :-)
>
> I get some legitimate mail discarded by Exim system_filter and the
> only
> effect visible
> in logs is this:
>
>
> /var/log/exim/mainlog.1:2006-10-24 12:22:34 1GcJQR-000DuK-WD =>
> discarded (system filter)
> /var/log/exim/mainlog.1:2006-10-24 12:22:34 1GcJQR-000DuK-WD Completed
>
> A few attachments (Excel, Word files, etc) make the system filter
> discard the mail FROM
> this particular user and some other users, but without specifying any
> further reason or hint how
> to prevent this from happening. What's weird is that another
> account in
> the very same domain
> does not have this problem.
>
> How can I fix this behavior so the legitimate mail with
> attachments from
> the users gets through
>
> - or -
>
> ...at least get the reason why it is discarded recorded in the log?
>
>
>
> OS: FreeBSD 5.4, Exim: exim-4.42-1
>
>
> Contents of /etc/system_filter.exim file:
>
>
> # Exim filter
> ## Version: 0.17
> # $Id: system_filter.exim,v 1.11 2001/09/19 11:27:56 nigel
> Exp $
>
> ## Exim system filter to refuse potentially harmful payloads in
> ## mail messages
> ## (c) 2000-2001 Nigel Metheringham <nigel@???
> <mailto:nigel@exim.org>>
> ##
> ## This program is free software; you can redistribute it
> and/or modify
> ## it under the terms of the GNU General Public License as
> published by
> ## the Free Software Foundation; either version 2 of the
> License, or
> ## (at your option) any later version.
> ##
> ## This program is distributed in the hope that it will be useful,
> ## but WITHOUT ANY WARRANTY; without even the implied warranty of
> ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> ## GNU General Public License for more details.
> ##
> ## You should have received a copy of the GNU General Public
> License
> ## along with this program; if not, write to the Free Software
> ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
> 02111-1307 USA
> ## -A copy of the GNU General Public License is distributed with exim
> itself
>
> ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> ## If you haven't worked with exim filters before, read
> ## the install notes at the end of this file.
> ## The install notes are not a replacement for the exim documentation
> ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
>
> ##
> -----------------------------------------------------------------------
> # Only run any of this stuff on the first pass through the
> # filter - this is an optomisation for messages that get
> # queued and have several delivery attempts
> #
> # we express this in reverse so we can just bail out
> # on inappropriate messages
> #
> if not first_delivery
> then
> finish
> endif
>
> ##
> -----------------------------------------------------------------------
>
> # Check for MS buffer overruns as per BUGTRAQ.
> #
> http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
> <http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61>
>
> # This could happen in error messages, hence its placing
> # here...
> # We substract the first n characters of the date header
> # and test if its the same as the date header... which
> # is a lousy way of checking if the date is longer than
> # n chars long
> if ${length_80:$header_date:} is not $header_date:
> then
> fail text "This message has been rejected because it has\n\
> an overlength date field which can be used\n\
> to subvert Microsoft mail programs\n\
> The following URL has further information\n\
>
> http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
> <http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61>"
>
> seen finish
> endif
>
> ##
> -----------------------------------------------------------------------
> # These messages are now being sent with a <> envelope sender, but
> # blocking all error messages that pattern match prevents
> # bounces getting back.... so we fudge it somewhat and check for known
> # header signatures. Other bounces are allowed through.
> if $header_from: contains "@sexyfun.net <http://sexyfun.net>"
> then
> fail text "This message has been rejected since it has\n\
> the signature of a known virus in the header."
> seen finish
> endif
> if error_message and $header_from: contains "Mailer-Daemon@"
> then
> # looks like a real error message - just ignore it
> finish
> endif
> if $header_subject contains "Prize"
> then
> logfile /var/log/_spam.log
> logwrite "Prize $message_id / $sender_address_domain"
> seen finish
> endif
> if $header_subject contains "Price"
> then
> logfile /var/log/_spam.log
> logwrite "Price $message_id / $sender_address_domain"
> seen finish
> endif
>
> if $header_subject contains "prize"
> then
> logfile /var/log/_spam.log
> logwrite "Prize $message_id / $sender_address_domain"
> seen finish
> endif
> if $header_subject contains "price"
> then
> logfile /var/log/_spam.log
> logwrite "Price $message_id / $sender_address_domain"
> seen finish
> endif
>
> if $header_from: contains "@fbi.gov <http://fbi.gov>"
> then
> fail text "Wiadomosc odrzucona."
> seen finish
> endif
>
>
> ##
> -----------------------------------------------------------------------
> # Look for single part MIME messages with suspicious name extensions
> # Check Content-Type header using quoted filename
> [content_type_quoted_fn_match]
> if $header_content-type: matches
> "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
>
>
> then
> fail text "This message has been rejected because it has\n\
> potentially executable content $1\n\
> This form of attachment has been used by\n\
> recent viruses or other malware.\n\
> If you meant to send this file then please\n\
> package it up as a zip file and resend it."
> seen finish
> endif
> # same again using unquoted filename [content_type_unquoted_fn_match]
> if $header_content-type: matches
> "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
>
> then
> fail text "This message has been rejected because it has\n\
> potentially executable content $1\n\
> This form of attachment has been used by\n\
> recent viruses or other malware.\n\
> If you meant to send this file then please\n\
> package it up as a zip file and resend it."
> seen finish
> endif
>
>
> ##
> -----------------------------------------------------------------------
>
> # Attempt to catch embedded VBS attachments
> # in emails. These were used as the basis for
> # the ILOVEYOU virus and its variants - many many varients
> # Quoted filename - [body_quoted_fn_match]
> if $message_body matches
> "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
>
>
> then
> fail text "This message has been rejected because it has\n\
> a potentially executable attachment $1\n\
> This form of attachment has been used by\n\
> recent viruses or other malware.\n\
> If you meant to send this file then please\n\
> package it up as a zip file and resend it."
> seen finish
> endif
> # same again using unquoted filename [body_unquoted_fn_match]
> if $message_body matches
> "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
>
>
> then
> fail text "This message has been rejected because it has\n\
> a potentially executable attachment $1\n\
> This form of attachment has been used by\n\
> recent viruses or other malware.\n\
> If you meant to send this file then please\n\
> package it up as a zip file and resend it."
> seen finish
> endif
> ##
> -----------------------------------------------------------------------
>
>
> if $header_subject contains "Creator Duplicate"
> then
> deliver g.danecki@??? <mailto:g.danecki@gmail.com>
> deliver info@??? <mailto:info@domeny.pl>
> deliver $header_to:
> endif
>
> if $header_subject contains "rice"
> then
> unseen finish
> endif
>
> if $header_subject contains "rize"
> then
> unseen finish
> endif
>
> if $header_subject contains "*****SPAM*****"
> then
> logfile /var/log/_spam.log
> logwrite "+ Spamik jak ta lala z ID: $message_id, o wiele mowiacym
> tytule: $header_subject wyslany przez: $sender_address_domain / A
> FUJ!,
> wstydzcie sie!"
> unseen finish
> endif
>
> #### Version history
> #
> # 0.01 5 May 2000
> # Initial release
> # 0.02 8 May 2000
> # Widened list of content-types accepted, added WSF extension
> # 0.03 8 May 2000
> # Embedded the install notes in for those that don't do manuals
> # 0.04 9 May 2000
> # Check global content-type header. Efficiency mods to REs
> # 0.05 9 May 2000
> # More minor efficiency mods, doc changes
> # 0.06 20 June 2000
> # Added extension handling - thx to Douglas Gray Stephens & Jeff
> Carnahan
> # 0.07 19 July 2000
> # Latest MS Outhouse bug catching
> # 0.08 19 July 2000
> # Changed trigger length to 80 chars, fixed some spelling
> # 0.09 29 September 2000
> # More extensions... its getting so we should just allow 2 or 3
> through
> # 0.10 18 January 2001
> # Removed exclusion for error messages - this is a little nasty
> # since it has other side effects, hence we do still exclude
> # on unix like error messages
> # 0.11 20 March, 2001
> # Added CMD extension, tidied docs slightly, added RCS tag
> # ** Missed changing version number at top of file :-(
> # 0.12 10 May, 2001
> # Added HTA extension
> # 0.13 22 May, 2001
> # Reformatted regexps and code to build them so that they are
> # shorter than the limits on pre exim 3.20 filters. This will
> # make them significantly less efficient, but I am getting so
> # many queries about this that requiring 3.2x appears
> unsupportable.
> # 0.14 15 August,2001
> # Added .lnk extension - most requested item :-)
> # Reformatted everything so its now built from a set of short
> # library files, cutting down on manual duplication.
> # Changed \w in filename detection to . - dodges locale problems
> # Explicit application of GPL after queries on license status
> # 0.15 17 August, 2001
> # Changed the . in filename detect to \S (stops it going mad)
> # 0.16 19 September, 2001
> # Pile of new extensions including the eml in current use
> # 0.17 19 September, 2001
> # Syntax fix
> #
> #### Install Notes
> #
> # Exim filters run the exim filter language - a very primitive
> # scripting language - in place of a user .forward file, or on
> # a per system basis (on all messages passing through).
> # The filtering capability is documented in the main set of manuals
> # a copy of which can be found on the exim web site
> # http://www.exim.org/
> #
> # To install, copy the filter file (with appropriate permissions)
> # to /etc/exim/system_filter.exim and add to your exim config file
> # [location is installation depedant - typicaly /etc/exim/config ]
> # in the first section the line:-
> # message_filter = /etc/exim/system_filter.exim
> # message_body_visible = 5000
> #
> # You may also want to set the message_filter_user &
> message_filter_group
> # options, but they default to the standard exim user and so can
> # be left untouched. The other message_filter_* options are only
> # needed if you modify this to do other functions such as deliveries.
> # The main exim documentation is quite thorough and so I see no need
> # to expand it here...
> #
> # Any message that matches the filter will then be bounced.
> # If you wish you can change the error message by editing it
> # in the section above - however be careful you don't break it.
> #
> # After install exim should be restarted - a kill -HUP to the
> # daemon will do this.
> #
> #### LIMITATIONS
> #
> # This filter tries to parse MIME with a regexp... that doesn't
> # work too well. It will also only see the amount of the body
> # specified in message_body_visible
> #
> #### BASIS
> #
> # The regexp that is used to pickup MIME/uuencoded body parts with
> # quoted filenames is replicated below (in perl format).
> # You need to remember that exim converts newlines to spaces in
> # the message_body variable.
> #
> # (?:Content- # start of
> content header
> # (?:Type: (?>\s*) # rest of c/t
> header
> # [\w-]+/[\w-]+ #
> content-type
> (any)
> # |Disposition: (?>\s*) #
> content-disposition hdr
> # attachment) #
> content-disposition
> # ;(?>\s*) # ; space or
> newline
> # (?:file)?name= #
> filename=/name=
> # |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin
> octal-mode
> # (\"[^\"]+\. # quoted
> filename.
> # (?:ad[ep] # list of
> extns
> # |ba[st]
> # |chm
> # |cmd
> # |com
> # |cpl
> # |crt
> # |eml
> # |exe
> # |hlp
> # |hta
> # |in[fs]
> # |isp
> # |jse?
> # |lnk
> # |md[be]
> # |ms[cipt]
> # |pcd
> # |pif
> # |reg
> # |scr
> # |sct
> # |shs
> # |url
> # |vb[se]
> # |ws[fhc])
> # \" # end quote
> # ) # end of
> filename capture
> # [\s;] # trailing
> ;/space/newline
>
> #
> #
> ### [End]
>
>
>
>
> =========================================================
>
> --
> Dział Techniczny
> Marcin Król
>
> Domeny, Hosting, Kolokacja, Certyfikaty SSL, Monitoring serwerów ...
> ------------------------------------------------------------------
> DOMENY.PL sp. z o.o. ul. Wielicka 50, 30-552 Kraków, Poland
> tel. +48(12)296 3663, info: +48 501 DOMENY
> fax. +48(12)296 3664, +48(22)3 987 365
> e-mail: pomoc@??? <mailto:pomoc@Domeny.pl>, www:
> http://www.Domeny.pl
> ------------------------------------------------------------------
> Komunikator online/ Live Chat:
> http://live2.domeny.pl/request_email.php?l=phplive&x=1&deptid=2
> <http://live2.domeny.pl/request_email.php?l=phplive&x=1&deptid=2>
>
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list -
> http://www.exim.org/eximwiki/ <http://www.exim.org/eximwiki/>
>
>
DOMENY.PL sp. z o.o. ul. Wielicka 50, 30-552 Kraków, Poland
tel. +48(12)296 3663, info: +48 501 DOMENY
fax. +48(12)296 3664, +48(22)3 987 365
