Re: [exim] handle MIME parts in system filter

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] handle MIME parts in system filter
> From: "ID, pmast" <pmast@???>

> In the battle against phishing attacks, I have implemented an inspection
> queue using the exim system_filter file.
> The filter classifies and freezes suspected phishing messages so that we
> can view, release or delete them.
> The filter is good for plain text, but it does not handle message bodies
> encoded with base64, quoted-printable, etc.
> Can anyone show me a mechanism to decode MIME parts in such a way that
> they can be handled by the system filter?


You can use mime_regex in acl_check_mime instead of system filter.
Some examples (you can use "accept" instead of "deny", with
"control = freeze/no_tell" line at the very end of paragraph):

acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
  deny  message = rejected because recognized as Ukrainian spam (type 2)
        !authenticated = *
        condition = ${if eq{$mime_content_type}{text/html}}
        condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
        mime_regex = \Nhref="?http.//(mailplus.kiev|(marmaer|stopm).com).ua/ :\
                       src="?http.//element-architecture.com/ : \
                       href="?http.//(www.)?radiationsafe.com/ : \
                       href="?http.//(usndr.com|rumailer.ru)/ : \
                       href="http.//[^/\s]*&#\d+; : \
                       href="http.//mailtrackers.(ru|com.ua)/ : \
                       href="http.//(\w+\.)?emailunion.net/


  deny  message = Blocked as Vietnamese spam from gmail
        condition = ${if match{$sender_host_name}\
                              {\N^mail-[\w-]+\.google\.com$\N}}
        condition = ${if eq{$mime_content_type}{text/plain}}
        condition = ${if eqi{$mime_charset}{UTF-8}}
        mime_regex = \N([\x01-\x7f](\xe1(\xba[\xa1-\xa3\xa5\xa6\xa8\xab\xad\xb6\xbe\xbf]|\xbb[\x81\x82\x85-\x87\x89-\x92\x97\x99-\x9c\xaa\xab\xad\xb0\xb1])|\xc3[\xaa\xa2\xb4]\xcc[\x81\x83\x89])[\x01-\x7f].*?){3}


  deny message = A .zip attachment contains a Windows-executable file - \
                 blocked because we are afraid of new viruses \
                 not recognized [yet] by antiviruses.
       condition = ${if match{$mime_filename}{\N(?i)\.zip$\N}}
       condition = ${if def:sender_host_address}
       !authenticated = *
       decode = default
       log_message = forbidden binary in attachment: filename=$mime_filename, \
                     recipients=$recipients
       condition = ${if match{${run{/usr/local/bin/unzip -l \
                                    $mime_decoded_filename}}}\
                             {\N(?i)\.(exe|com|vbs|bat|pif|scr|hta|js\
           |cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys|btm|dat|msi|prf|vb)\n\N}}


accept