> From: Paul Lenz <paul@???>
> > > I wrote a plugin for Spamassassin which unzips every attachement and
> > > (IMHO very important) unzips every MS Office file (xlsx, xlsm, docx) and
> > > looks for strings like "rundll32" or "This program cannot be run in DOS
> > > mode" and some others.
Which exactly others?
> > Good idea (about Office files). Perhaps I can replicate this
> > in Exim without SpamAssassin if you send me your code or a link to it.
>
> How can you use my code? It is written im Perl. As I understand you, you
> can write only rules for Exim, but you can not write executable code,
> can you?
Exim has ${run expansion item.
The part about Office files not tested:
P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
GREP = /usr/bin/grep
SHELL = /bin/sh
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious: exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}
deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}
deny message = Windows-executable inside an Office file attachment
condition = ${if or{\
{match{$mime_content_type}{(?i)openxmlformats-officedocument}}\
{match{$mime_filename}{\N(?i)\.(doc|xls|ppt)(x|m)$\N}}\
}}
decode = default
log_message = forbidden binary in Office file attachment: \
filename=$mime_filename, recipients=$recipients
condition = ${if eq{$run{SHELL -c \
"cd ${sg{$mime_decoded_filename}{[^/]+\\$}{}}; \
P7ZIP x -y $mime_decoded_filename; \
GREP -r -a -s -E \
'rundll32|This program cannot be run in DOS mode' \
*"}{1}{0}}{1}}
accept
