# based on Exim filter ## Version: 0.10 # Based on system_filter from Nigel, many modifications by Marc MERLIN # ## If you haven't worked with exim filters before, read ## the install notes at the end of this file. # # Only run any of this stuff on the first pass through the # filter - this is an optimisation for messages that get # queued and have several delivery attempts # # we express this in reverse so we can just bail out # on inappropriate messages # if not first_delivery then finish endif ############################################################################ # # # If spammers are nice enough to tell us, junk their mail # # # ############################################################################ # This was meant to bounce mail from incorrectly configured internal hosts, # but it happens to catch a lot of spam too. Go figure... -- Marc if $header_message-id matches "<[^>]+@>" then logfile /var/log/exim/nullmesgidbouncedemail.log 0600 logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers" save /var/spool/exim4/rejects/nullmesgidbouncedemail 0644 if not error_message then fail text "Sorry, but your message-ID is broken, apparently because your\n\ hostname isn't set right\n\ You need to fix this before you can send us mail.\n" endif seen finish endif ############################################################################ # # # Virus and overflow checks # # # ############################################################################ # Check for MS buffer overruns as per BUGTRAQ. # http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61 # This could happen in error messages, hence its placing # here... # We substract the first n characters of the date header # and test if its the same as the date header... which # is a lousy way of checking if the date is longer than # n chars long if ${length_160:$header_date:} is not $header_date: then save /var/spool/exim4/rejects/datefield 0644 if not error_message then fail text "This message has been rejected because it has\n\ an overlength date field which can be used\n\ to subvert Microsoft mail programs\n\ The following URL has further information\n\ http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61" endif seen finish endif # looks like a real error message - just ignore it (if header_from isn't # mailer-daemon, we bounce the message if it's determined as a virus further # down). # Basically you can't just bounce back an error message otherwise it can create # a loop # You should edit this to add your domain name here -------v if error_message and $header_from: contains "Mailer-Daemon@" then finish endif # Sircam virus. Very cheasy and cheap signature if "$message_body" contains "Hi! How are you" and "$message_body" contains "See you later" then save /var/spool/exim4/rejects/rejectedsircamvirus 0644 logfile /var/log/exim/rejectedsircamvirus.log 0644 logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers" if not error_message then fail text "This message has been rejected because your message\n\ looks like you are infected by the Sircam Virus and you\n\ are spamming us and wasting our resources as a result\n\ and your system is spamming us because you are infected.\n\ If you have to use windows, you should at least not\n\ use outlook.\n\ It is inherently insecure;\n\ you are generating lots of wasted bandwidth, as well as\n\ support headackes by using it, and you are jeopardizing\n\ your own files and data at the same time\n\ Please seriously consider using another mail client\n\n\ In the event you were discussing virus signatures, please\n\ escape them so as not to trip this filter" endif seen finish endif # Klez virus. Very cheasy and cheap signature if "$message_body" contains "" and "$message_body" contains "Content-Type: audio/x-" then save /var/spool/exim4/rejects/rejectedklezvirus 0644 logfile /var/log/exim/rejectedklezvirus.log 0644 logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers" if not error_message then fail text "This message has been rejected because your message\n\ looks like you are infected by the Klez Virus and you\n\ are spamming us and wasting our resources as a result\n\ and your system is spamming us because you are infected.\n\ If you have to use windows, you should at least not\n\ use outlook.\n\ It is inherently insecure;\n\ you are generating lots of wasted bandwidth, as well as\n\ support headackes by using it, and you are jeopardizing\n\ Please seriously consider using another mail client\n\n\ In the event you were discussing virus signatures, please\n\ escape them so as not to trip this filter" endif seen finish endif # Look for single part MIME messages with suspicious name extensions # Check Content-Type header using quoted filename [content_type_quoted_fn_match] if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" then save /var/spool/exim4/rejects/mimeattachement 0644 logfile /var/log/exim/rejectedmimeattachement.log 0644 logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers" if not error_message then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it.\n\ If you didn't mean to send this file, and you are\n\ using microsoft outlook, you are probably infected.\n\ Please stop using outlook, it is inherently insecure\n\ and you are generating lots of wasted bandwidth and\n\ support headackes by using it, and you are jeopardizing\n\ your files and your data\n\ Please seriously consider using another mail client" endif seen finish endif # same again using unquoted filename [content_type_unquoted_fn_match] if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))" then save /var/spool/exim4/rejects/mimeattachement 0644 logfile /var/log/exim/rejectedmimeattachement.log 0644 logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers" if not error_message then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it.\n\ If you didn't mean to send this file, and you are\n\ using microsoft outlook, you are probably infected.\n\ Please stop using outlook, it is inherently insecure\n\ and you are generating lots of wasted bandwidth and\n\ support headackes by using it, and you are jeopardizing\n\ your files and your data\n\ Please seriously consider using another mail client" endif seen finish endif # Attempt to catch embedded VBS attachments # in emails. These were used as the basis for # the ILOVEYOU virus and its variants - many many varients # Quoted filename - [body_quoted_fn_match] if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]" then save /var/spool/exim4/rejects/embeddedmimeattachement 0644 logfile /var/log/exim/rejectedembeddedmimeattachement.log 0644 logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers" if not error_message then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it.\n\ If you didn't mean to send this file, and you are\n\ using microsoft outlook, you are probably infected.\n\ Please stop using outlook, it is inherently insecure\n\ and you are generating lots of wasted bandwidth and\n\ support headackes by using it, and you are jeopardizing\n\ your files and your data\n\ Please seriously consider using another mail client" seen finish endif endif # same again using unquoted filename [body_unquoted_fn_match] if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]" then save /var/spool/exim4/rejects/embeddedmimeattachement 0644 logfile /var/log/exim/rejectedembeddedmimeattachement.log 0644 logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers" if not error_message then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it.\n\ If you didn't mean to send this file, and you are\n\ using microsoft outlook, you are probably infected.\n\ Please stop using outlook, it is inherently insecure\n\ and you are generating lots of wasted bandwidth and\n\ support headackes by using it, and you are jeopardizing\n\ your files and your data\n\ Please seriously consider using another mail client" seen finish endif endif #### Version history # # 0.01 5 May 2000 # Initial release # 0.02 8 May 2000 # Widened list of content-types accepted, added WSF extension # 0.03 8 May 2000 # Embedded the install notes in for those that don't do manuals # 0.04 9 May 2000 # Check global content-type header. Efficiency mods to REs # 0.05 9 May 2000 # More minor efficiency mods, doc changes # 0.06 20 June 2000 # Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan # 0.07 19 July 2000 # Latest MS Outhouse bug catching # 0.08 19 July 2000 # Changed trigger length to 80 chars, fixed some spd just allow 2 or 3 through # 0.10 18 January 2001 # Removed exclusion for error messages - this is a little nasty # since it has other side effects, hence we do still exclude # on unix like error messages # 0.11 20 March, 2001 # Added CMD extension, tidied docs slightly, added RCS tag # ** Missed changing version number at top of file :-( # 0.12 10 May, 2001 # Added HTA extension # 0.13 22 May, 2001 # Reformatted regexps and code to build them so that they are # shorter than the limits on pre exim 3.20 filters. This will # make them significantly less efficient, but I am getting so # many queries about this that requiring 3.2x appears unsupportable. # 0.14 15 August,2001 # Added .lnk extension - most requested item :-) # Reformatted everything so its now built from a set of short # library files, cutting down on manual duplication. # Changed \w in filename detection to . - dodges locale problems # Explicit application of GPL after queries on license status # 0.15 17 August, 2001 # Changed the . in filename detect to \S (stops it going mad) # 0.16 19 September, 2001 # Pile of new extensions including the eml in current use # 0.17 19 September, 2001 # Syntax fix # #### Install Notes # # Exim filters run the exim filter language - a very primitive # scripting language - in place of a user .forward file, or on # a per system basis (on all messages passing through). # The filtering capability is documented in the main set of manuals # a copy of which can be found on the exim web site # http://www.exim.org/ # # To install, copy the filter file (with appropriate permissions) # to /etc/exim/system_filter.exim and add to your exim config file # [location is installation depedant - typicaly /etc/exim/config ] # in the first section the line:- # message_filter = /etc/exim/system_filter.exim # message_body_visible = 5000 # # You may also want to set the message_filter_user & message_filter_group # options, but they default to the standard exim user and so can # be left untouched. The other message_filter_* options are only # needed if you modify this to do other functions such as deliveries. # The main exim documentation is quite thorough and so I see no need # to expand it here... # # Any message that matches the filter will then be bounced. # If you wish you can change the error message by editing it # in the section above - however be careful you don't break it. # # After install exim should be restarted - a kill -HUP to the # daemon will do this. # #### LIMITATIONS # # This filter tries to parse MIME with a regexp... that doesn't # work too well. It will also only see the amount of the body # specified in message_body_visible # #### BASIS # # The regexp that is used to pickup MIME/uuencoded body parts with # quoted filenames is replicated below (in perl format). # You need to remember that exim converts newlines to spaces in # the message_body variable. # # (?:Content- # start of content header # (?:Type: (?>\s*) # rest of c/t header # [\w-]+/[\w-]+ # content-type (any) # |Disposition: (?>\s*) # content-disposition hdr # attachment) # content-disposition # ;(?>\s*) # ; space or newline # (?:file)?name= # filename=/name= # |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode # (\"[^\"]+\. # quoted filename. # (?:ad[ep] # list of extns # |ba[st] # |chm # |cmd # |com # |cpl # |crt # |eml # |exe # |hlp # |hta # |in[fs] # |isp # |jse? # |lnk # |md[be] # |ms[cipt] # |pcd # |pif # |reg # |scr # |sct # |shs # |url # |vb[se] # |ws[fhc]) # \" # end quote # ) # end of filename capture # [\s;] # trailing ;/space/newline # # ### [End]