Re: [exim] Viruses

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMkuncho pencho at <-
MLena at ->
Delete this message
Reply to this message
Author: John McMurray
Date:  
To: nb, Exim
Subject: Re: [exim] Viruses
Hi Nb, Lena,

@Lena, I've implemented the code on a Centos 6 server running Exim
version 4.80.1 #29 built 10-Oct-2013 02:16:32

This works well for zip files but it seems to be ignoring rar files.
I've check and double checked that both unzip and unrar are at the
locations that exim expects them to be at and that both unzip and unrar
do actually work.

Do you have any thoughts on how I can check what's going on?

Thank you,

John McMurray


On 14/03/2016 22:43, nb wrote:
> Thanks Lena.
> As usual, your advice is good.
> Your code works perfectly.
>
> One thing strange however, there are two "550" strings included in the message.
> How do you explain this ?
> Here’s the message generated:
>
> <nb@???>: host colibri.dagami.org[51.255.40.59] said: 550-A .zip
>      attachment contains a Windows-executable file - blocked because we 550 are
>      afraid of new viruses not recognized [yet] by antiviruses. (in reply to end
>      of DATA command)

>
> Regards
>
> nb
>
>
>> Le 14 mars 2016 à 16:01, Lena@??? a écrit :
>>
>>> From: nb@???
>>> I'm receiving many spams my antivirus doesn't detect.
>> UNZIP = /usr/bin/unzip
>> UNRAR = /usr/local/bin/unrar
>> acl_smtp_mime = acl_check_mime
>> begin acl
>> acl_check_mime:
>>   deny message = Windows-executable attachments forbidden
>>        condition = ${if def:sender_host_address}
>>        !authenticated = *
>>        log_message = forbidden attachment: filename=$mime_filename, \
>>              content-type=$mime_content_type, recipients=$recipients
>>        condition = ${if or{\
>>                {match{$mime_content_type}{(?i)executable}}\
>>                {match{$mime_filename}{\N(?i)\.(exe|com|vbs|bat|\
>>    pif|scr|hta|js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys|btm|dat|msi|prf|vb)$\N}}\
>>               }}

>>
>>   deny set acl_m_att = ${if match{$mime_filename}{\N(?i)\.(zip|rar)$\N}{$1}}
>>        condition = ${if def:acl_m_att}
>>        message = A .$acl_m_att attachment contains a Windows-executable file \
>>                  - blocked because we are afraid of new viruses \
>>                  not recognized [yet] by antiviruses.
>>        condition = ${if def:sender_host_address}
>>        !authenticated = *
>>        decode = default
>>        log_message = forbidden binary in attachment: filename=$mime_filename, \
>>                      recipients=$recipients
>>        condition = ${if match{${run{${if eqi{$acl_m_att}{zip}\
>>                                 {UNZIP -l}{UNRAR l}} $mime_decoded_filename}}}\
>>                              {\N(?i)\n .+\.(zip|rar|exe|com|vbs|bat|pif|scr|vb\
>>            |js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys|btm|dat|msi|prf|hta)\n\N}}

>>
>> accept
>>
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] TLS packets errorRe: [exim] Exim 4.87 RC7 uploaded->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)