Blocking Email Attachments by file name?
Hello,
I would like to blocking Email Attachments by the name of files for EX "test.html"
I need to do it with Exim System Filter File to be for all users account not with user filter
I was try with the command "if $message_body matches ="test.html" but here will catch the message which have txt test.html, but I want to catch the message which have Attachments with name "test.html"
Any idea & hellp
-
I don't know enough about this stuff, but what happens if you put forward slashes in there. "if $message_body matches ="/test.html/" 0 -
We do something similar to this in the default exim system filter file already. We just look for extensions specifically. Something like these could be modified to do what you're requesting: if $header_content-type: matches "(?:file)?name=(\"[^\">+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif # same again using unquoted filename [content_type_unquoted_fn_match] if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)" then fail text "This message has been rejected because it has\n\ potentially executable content $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it." seen finish endif0 -
Hi Lauren When you say that you have the above in the default system filter file, does this not get over written if exim config is rebuilt ? 0 -
Actually, digging in my exim config, I found that my default was pointing to etc/antivirus.empty, which was in fact empty. Interesting find. 0 -
Hi @keat63 Not that I have this, this is something we have in the file by default. Since this is something that cPanel implemented it won't be overwritten. Actually, digging in my exim config, I found that my default was pointing to etc/antivirus.empty, which was in fact empty. Interesting find.
I am assuming you're referencing the custom systemfilter file. I am referencing the default.0 -
If I open up exim config manager, and navigate to filters. My default 'System Filter File' is configured to use /etc/antivirus.empty. If I open that file, it is indeed empty. There is another file named antivirus.exim, which contains the regex you posted earlier. So I copied the contents to the .empty file with a view to monitor the output. This is not something I ever changed, so I've no idea why its defaulting to the .empty file, but I did find a post from a few years back highlighting the same problem and fix. I assume this is why some dodgy file extensions were getting passed through ?? 0 -
The /etc/cpanel_exim_system_filter is the default - this would have had to be changed at one point to reference the custom filter file. Possibly for use of a plugin. I'd suggest changing it back to the default. I assume this is why some dodgy file extensions were getting passed through ??
Definitely a possibility.0 -
Appreciate that it's gone off topic, but it doesn't appear the OP has returned, so may as well keep this discussion open now we started. I don't have much in the way of plugins. ClamAV CSF Firewall CSF Mailscanner CSF Explorer Could any of these changed the default. ? 0 -
rolled it back, thanks. 0
Please sign in to leave a comment.
Comments
10 comments