Blocking Email Attachments by file name?

[Qasem_AM]

Hello,

I would like to blocking Email Attachments by the name of files for EX "test.html"

I need to do it with Exim System Filter File to be for all users account not with user filter

I was try with the command "if $message_body matches ="test.html" but here will catch the message which have txt test.html , but I want to catch the message which have Attachments with name "test.html"

Any idea & hellp

 

[keat63]

I don't know enough about this stuff, but what happens if you put forward slashes in there.
"if $message_body matches ="/test.html/"

 

[cPanelLauren]

We do something similar to this in the default exim system filter file already. We just look for extensions specifically. Something like these could be modified to do what you're requesting:

if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
then
  fail text "This message has been rejected because it has\n\
             potentially executable content $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
then
  fail text "This message has been rejected because it has\n\
             potentially executable content $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif

 

[keat63]

Hi Lauren

When you say that you have the above in the default system filter file, does this not get over written if exim config is rebuilt ?

 

[keat63]

Actually, digging in my exim config, I found that my default was pointing to etc/antivirus.empty, which was in fact empty.
Interesting find.

 

[cPanelLauren]

Hi @keat63

Not that I have this, this is something we have in the file by default. Since this is something that cPanel implemented it won't be overwritten.

Actually, digging in my exim config, I found that my default was pointing to etc/antivirus.empty, which was in fact empty.
Interesting find.

I am assuming you're referencing the custom systemfilter file. I am referencing the default.

 

[keat63]

If I open up exim config manager, and navigate to filters.
My default 'System Filter File' is configured to use /etc/antivirus.empty.

If I open that file, it is indeed empty.
There is another file named antivirus.exim, which contains the regex you posted earlier.
So I copied the contents to the .empty file with a view to monitor the output.

This is not something I ever changed, so I've no idea why its defaulting to the .empty file, but I did find a post from a few years back highlighting the same problem and fix.

I assume this is why some dodgy file extensions were getting passed through ??

 

[cPanelLauren]

The /etc/cpanel_exim_system_filter is the default - this would have had to be changed at one point to reference the custom filter file. Possibly for use of a plugin. I'd suggest changing it back to the default.

I assume this is why some dodgy file extensions were getting passed through ??

Definitely a possibility.

 

[keat63]

Appreciate that it's gone off topic, but it doesn't appear the OP has returned, so may as well keep this discussion open now we started.

I don't have much in the way of plugins.

ClamAV
CSF Firewall
CSF Mailscanner
CSF Explorer

Could any of these changed the default. ?

 

[Infopro]

CSF Mailscanner

MailScanner.
ConfigServer Services - What settings do you recommend for the Exim Configuration Editor Standard Options settings on a cPanel server running MailScanner?

 

[keat63]

rolled it back, thanks.