[Sussex] Why doesn't someone .....

Nicholas Butler nik at butlershouse.co.uk
Sun Mar 7 13:01:17 UTC 2004 

Iain Stevenson wrote:

>
> ... tell us how to spot zip's with passwords so that we can set up our 
> mail systems to quarantine them?  P(hil || aul) Turner can have a rest 
> then.
>
> Solutions that work with postfix/cyrus/clamd especially welcome!
>
>  Iain
>
> _______________________________________________
> Sussex mailing list
> Sussex at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/sussex

Okay ... so who would be interested in a 20 minute tech talk on 
configuring Exim to relay mail safely and to implement  filters , 
procmail and spamassasin ?

heres my entry in exim.conf



message_filter=/etc/exim/filter/system_filter.exim
message_body_visible = 10000



the file system_filter.exim is avaliable from Exims site, but for 
complete ness im inlining it here...

Ive snipped it down to the main entries you need.




if $header_content-type: matches 
"(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|ln
k|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]|zip)\")"
then
  fail text "This message has been rejected because it has\n\
             potentially executable content $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             contact the recipient directly to arrange delivery."
  seen finish
endif




## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches 
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=
|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms
[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
then
#  fail text "This message has been rejected because it has\n\
#            a potentially executable attachment $1\n\
#            This form of attachment has been used by\n\
#             recent viruses or other malware.\n\
#            If you meant to send this file then please\n\
#            package it up as a zip file and resend it."
  seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches 
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=
|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[c
ipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]|zip))[\\\\s;]"
then
#  fail text "This message has been rejected because it has\n\
#            a potentially executable attachment $1\n\
#            This form of attachment has been used by\n\
#             recent viruses or other malware.\n\
#            If you meant to send this file then please\n\
#            contact the recipient directly."
  seen finish
endif
## -----------------------------------------------------------------------

More information about the Sussex mailing list