| Disable Functions: Path : /etc/ |
| Current File : //etc/antivirus.exim |
# Exim filter
if not first_delivery
then
finish
endif
## -----------------------------------------------------------------------
# Check for MS buffer overruns as per BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
# We substract the first n characters of the date header
# and test if its the same as the date header... which
# is a lousy way of checking if the date is longer than
# n chars long
if ${length_80:$header_date:} is not $header_date:
then
fail text "This message has been rejected because it has\n\
an overlength date field which can be used\n\
to subvert Microsoft mail programs\n\
The following URL has further information\n\
http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
seen finish
endif
## -----------------------------------------------------------------------
# These messages are now being sent with a <> envelope sender, but
# blocking all error messages that pattern match prevents
# bounces getting back.... so we fudge it somewhat and check for known
# header signatures. Other bounces are allowed through.
if $header_from: contains "@sexyfun.net"
then
fail text "This message has been rejected since it has\n\
the signature of a known virus in the header."
seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
then
# looks like a real error message - just ignore it
finish
endif
## -----------------------------------------------------------------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")$"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))$"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
seen finish
endif
## -----------------------------------------------------------------------
if not first_delivery
then
finish
endif
## -----------------------------------------------------------------------
# Check for MS buffer overruns as per BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
# We substract the first n characters of the date header
# and test if its the same as the date header... which
# is a lousy way of checking if the date is longer than
# n chars long
if ${length_80:$header_date:} is not $header_date:
then
fail text "This message has been rejected because it has\n\
an overlength date field which can be used\n\
to subvert Microsoft mail programs\n\
The following URL has further information\n\
http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
seen finish
endif
# These messages are now being sent with a <> envelope sender, but
# blocking all error messages that pattern match prevents
# bounces getting back.... so we fudge it somewhat and check for known
# header signatures. Other bounces are allowed through.
if $header_from: contains "@sexyfun.net"
then
fail text "This message has been rejected since it has\n\
the signature of a known virus in the header."
seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
then
# looks like a real error message - just ignore it
finish
endif
# BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite
# (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
# or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
if "${if def:header_X-Spam-Subject: {there}}" is there
then
headers remove Subject
headers add "Subject: $h_X-Spam-Subject:"
headers remove X-Spam-Subject
endif
# END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite