Exim System Filter fail
We've had a custom /etc/cpanel_exim_system_new filter for several years that excludes .zip and .z attachments. We added "Z" to both the "body_quoted" and "body_unquoted" section of the filter file like this:
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\">+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jar|jse?|lnk|md[be]|ms[cipt]|pcd|pif|rar|reg|scr|sct|shs|url|vb[se]|ws[fhc]|zip|Z)\")[\\\\s;]"
Today an email with a .z attachment slipped thru the filter. I just sent myself several attachments with either ".z" or ".Z" extensions, blanks in the filename, "Windows friendly" and all bounced as expected. Here's a clip from the email that got thru the filter:
------=_NextPart_000_0012_FCC05329.0E9404B9
Content-Type: application/octet-stream; name="Quotation request.z"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Quotation request.z"
Anyone know how this might have got thru the filter or where to look for clues?
-
Hey there! Do you see anything odd in the /var/log/exim_mainlog file for that message? Are there possibly any whitelists or other entries in the filter that could have been actioned on before the "Z" filter was reached? 0 -
We have only three whitelisted IP ranges from collaborators. I confirmed the IP of the email in question is not in those ranges. The target account has a couple spam filters, followed by the final filter that redirects the email to three other accounts. To confirm the exim attachment filter that bounces .z attachments actions first, I sent a dummy .z attachment to the same account and it bounced including these lines in exim_mainlog: cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lyeJp-0003PR-A5 1lyeJp-0003PR-A5 cancelled by system filter: Message rejected because it has\npotentially executable content "three file.z". cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1lyeJp-0003PR-A5 1lyeJr-0003PY-E8 <= <> R=1lyeJp-0003PR-A5 U=mailnull P=local S=2584 T="Mail delivery failed: returning message to sender" for tst@mydomain.com The message that got thru has 6 entries in exim_mainlog, condensed and cleaned here: 1ly7ie-000Q3H-G5 H=(bizcloud-cep.localdomain) [128.199.21.82]:52016 Warning: Message has been scanned: no virus or other harmful content was found 1ly7ie-000Q3H-G5 <= vicky.nguyen@domain.com H=(bizcloud-cep.localdomain) [128.199.21.82]:52016 P=esmtp S=357448 id=20210629081802.637E8F03D136E2FC@kginternational.com T="Quotation request" for xyz@mydomain.com cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ly7ie-000Q3H-G5 1ly7ie-000Q3H-G5 => larry+xyz ("larry+xyz"@mydomain.com, larry@mydomain.com) R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 MfCeI9/E2mBohwEAAdGtpg Saved" 1ly7ie-000Q3H-G5 -> moe+xyz ("moe+xyz"@mydomain.com, moe@mydomain.com) R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 MfCeI9/E2mBohwEAAdGtpg:2 Saved" 1ly7ie-000Q3H-G5 -> curly+xyz ("curly+xyz"@mydomain.com, curly@mydomain.com) R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 MfCeI9/E2mBohwEAAdGtpg:3 Saved" 1ly7ie-000Q3H-G5 Completed 0 -
Thanks for the additional details. That doesn't really tell us much, although it does indicate the filter was read as we don't see the typical "central_filter bypassed" that appears on many systems. I really don't have a good explanation based on those details. You're always welcome to open a ticket with our team if you wanted us to check the system directly. 0 -
Thank You. As you suggested, precedence order can be confusing. Similar to the "bug/feature request" in which several filter actions (e.g. Discard Message) mysteriously cause the auto-responder not to trigger and/or filters to function. 0
Please sign in to leave a comment.
Comments
4 comments