Introduction
cPanel allows you to create custom Exim filters that block specific file extensions. This article provides the procedure for doing so.
Please note that cPanel does not support customizing the specific contents of your Exim filters. If you need help crafting a custom filter, you should contact a systems administrator with the skills, training, and expertise required to do so.
Procedure
- Access the server's command line as the 'root' user via SSH or "Terminal" in WHM.
- Create a new filter file in the
/usr/local/cpanel/etc/exim/sysfilter/options/folder.touch /usr/local/cpanel/etc/exim/sysfilter/options/custom_attachments
- Open the new filter file in your preferred text editor.
- Add the following to the file.
# Look for single part MIME messages with suspicious name extensions # Check Content-Type header using quoted filename [content_type_quoted_fn_match] if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif # same again using unquoted filename [content_type_unquoted_fn_match] if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)" then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif # Attempt to catch embedded VBS attachments # in emails. These were used as the basis for # the ILOVEYOU virus and its variants - many many varients # Quoted filename - [body_quoted_fn_match] if $message_body matches "(?:Content-(?:Type:(?\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?\\\\s*)attachment);(?\\\\s*)(?:file)?name=|begin(?\\\\s+)[0-7]{3,4}(?\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]" then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif # same again using unquoted filename [body_unquoted_fn_match] if $message_body matches "(?:Content-(?:Type:(?\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?\\\\s*)attachment);(?\\\\s*)(?:file)?name=|begin(?\\\\s+)[0-7]{3,4}(?\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]" then fail text "This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif - Modify the
$message_body matchesand$header_content-type:lines to include the file extensions to block. - Save the changes and exit the text editor.
- Rebuild the Exim configuration.
/usr/local/cpanel/scripts/buildeximconf
Please note that cPanel will copy your custom filter into the system filter file. - Restart Exim.
/usr/local/cpanel/scripts/restartsrv_exim
Comments
0 comments
Article is closed for comments.