Re: [exim] Viruses

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] Viruses
> From: John McMurray

> This works well for zip files but it seems to be ignoring rar files.
> I've check and double checked that both unzip and unrar are at the
> locations that exim expects them to be at and that both unzip and unrar
> do actually work.


> >> UNZIP = /usr/bin/unzip
> >> UNRAR = /usr/local/bin/unrar


> >> deny set acl_m_att = ${if match{$mime_filename}{\N(?i)\.(zip|rar)$\N}{$1}}
> >>   condition = ${if def:acl_m_att}
> >>   message = A .$acl_m_att attachment contains a Windows-executable file
> >>   decode = default
> >>   log_message = forbidden binary in attachment: filename=$mime_filename, \
> >>                 recipients=$recipients
> >>   condition = ${if match{${run{${if eqi{$acl_m_att}{zip}\
> >>                            {UNZIP -l}{UNRAR l}} $mime_decoded_filename}}}\
> >>                         {\N(?i)\n .+\.(zip|rar|exe|com|vbs|bat|pif|scr|vb\
> >>      |js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys|btm|dat|msi|prf|hta)\n\N}}


I don't know what went wrong. Can you save a .rar attachment and run this?

/usr/local/bin/unrar l FILENAME.rar | hd | less

Is filename shown? Does the string with the filename begin with a blank (20)?

unrar under FreeBSD cannot show the filename of the file inside the archive
if the filename contains Russian characters (in cp866 charset).
Another archiver 7-Zip (7z) can list contents of various archives
(zip, rar and others). Virus authors reckon that the targets/victims
have 7-Zip installed in Windows.
Under FreeBSD 7z shows question marks instead of Russian characters.
The idea to use 7z for virus filtering in Exim was proposed (by Yura Scheglyuk)
and discussed on the Russian Exim-users list (mailground.net).

P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs
# more cautious: exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
BINFORBIDDEN = Windows-executable attachments forbidden
begin acl
acl_check_mime:
  deny message = BINFORBIDDEN
       log_message = forbidden attachment: filename=$mime_filename, \
                     content-type=$mime_content_type, recipients=$recipients
       condition = ${if or{\
                           {match{$mime_content_type}{(?i)executable}}\
                           {match{$mime_filename}{\N(?i)\.(WINBIN)$\N}}\
                          }}


  deny message = Compressed BINFORBIDDEN
       condition = ${if or{\
                           {match{$mime_content_type}{(?i)application/\
                                     (octet-stream|x(-zip)?-compressed|zip)}}\
                           {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
                          }}
       condition = ${if <{$message_size}{1500K}}
       decode = default
       log_message = forbidden binary in attachment: filename=$mime_filename, \
                     recipients=$recipients
       condition = ${if match{${run{P7ZIP l $mime_decoded_filename}}}\
                             {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}


accept