[exim] an antivirus for zero-day :)

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Old-Topics: Re: [exim] Exim4 skips SpamAssassin if attachments are too big
Subject: [exim] an antivirus for zero-day :)
> From: Paul Lenz <paul@???>

> > > I wrote a plugin for Spamassassin which unzips every attachement and
> > > (IMHO very important) unzips every MS Office file (xlsx, xlsm, docx) and
> > > looks for strings like "rundll32" or "This program cannot be run in DOS
> > > mode" and some others.


Which exactly others?

> > Good idea (about Office files). Perhaps I can replicate this
> > in Exim without SpamAssassin if you send me your code or a link to it.
>
> How can you use my code? It is written im Perl. As I understand you, you
> can write only rules for Exim, but you can not write executable code,
> can you?


Exim has ${run expansion item.

The part about Office files not tested:

P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
GREP = /usr/bin/grep
SHELL = /bin/sh
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious: exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
  deny message = BINFORBIDDEN
       log_message = forbidden attachment: filename=$mime_filename, \
                     content-type=$mime_content_type, recipients=$recipients
       condition = ${if or{\
                {match{$mime_content_type}\
                      {(?i)executable|application/x-ace-compressed}}\
                {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
                          }}


  deny message = Compressed BINFORBIDDEN
       condition = ${if or{\
                           {match{$mime_content_type}{(?i)application/\
                                     (octet-stream|x(-zip)?-compressed|zip)}}\
                           {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
                          }}
       condition = ${if <{$message_size}{1500K}}
       decode = default
       log_message = forbidden binary in attachment: filename=$mime_filename, \
                     recipients=$recipients
       condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
                             {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}


  deny message = Windows-executable inside an Office file attachment
       condition = ${if or{\
         {match{$mime_content_type}{(?i)openxmlformats-officedocument}}\
         {match{$mime_filename}{\N(?i)\.(doc|xls|ppt)(x|m)$\N}}\
                          }}
       decode = default
       log_message = forbidden binary in Office file attachment: \
                     filename=$mime_filename, recipients=$recipients
       condition = ${if eq{$run{SHELL -c \
         "cd ${sg{$mime_decoded_filename}{[^/]+\\$}{}}; \
          P7ZIP x -y $mime_decoded_filename; \
          GREP -r -a -s -E \
           'rundll32|This program cannot be run in DOS mode' \
           *"}{1}{0}}{1}}


accept