Tweet
For those who haven't already seen it, there's been an item on BugTraq
about bypassing ZoneAlarm MailSafe. Whilst that in itself probably
doesn't concern exim-users, there's an interesting point raised about
filtering for Windows.
Windows ignores a trailing dot on a filename. "foo.exe." is the same as
"foo.exe".
This is my M4 source for my personal machine's virus filter, based
originally upon Nigel's filter. It bears an uncanny resemblance to M4
source used elsewhere, since I M4-ised both, independently.
The securityfocus bypass is for a simple reason: if someone's reading
BugTraq, assume they know what they're doing. Enough past examples of
live attacks posted to the list have led to those who can be educated
being so educated, and not reading BugTraq from a Windows box.
gm4 =3D=3D GNU m4, since OpenBSD's m4 didn't handle this at the time.
The trailing dnl-comment picking apart the regexp is a little dated.
I've added logging (at least, I don't think that was originally in
there). Neither postmaster@ nor abuse@ are filtered. This also blocks
files which are given as an "inline"-disposed MIME-part, not just
"attachment".
Hope this helps someone,
-----------------------------< cut here >-------------------------------
dnl Exim system filter file, in m4 format.
dnl $Id: system_filter.exim.m4,v 1.19 2002/04/03 01
09 root Exp $
dnl Does not pass most comments through to output - keep it smaller
dnl The "Exim filter" line MUST EXIST AND BE FIRST
dnl Run: gm4 <system_filter.exim.m4 >system_filter.exim
dnl
# Exim filter -- don't delete this line
# File auto-generated from gnu-m4 src 'system_filter.exim.m4'
`#' Generated: syscmd(`date')dnl
# $Id: system_filter.exim.m4,v 1.19 2002/04/03 0109 root Exp $
dnl
define(BLOCKEXTS,`vb[se]|ws[fh]|jse?|exe|com|bat|chm|cmd|pif|sh[bs]|hta|as[=
dx]|ad[ep]|md[abew]|dll|ocx|scr|[ew]ml|nws|lnk')dnl
define(BLOCKTEXT,
=09`"This message has been rejected because it has an attachment\n\
=09of a type which is known to be vulnerable to security\n\
=09problems, such as holding exploit code for email-vectored\n\
=09viruses and worms.\n\
=09The attachment was called: $`'1\n\
=09If you meant to send this file then please\n\
=09package it up as a zip file and resend it."')dnl
if not first_delivery then finish endif
dnl Allow postmaster access
if $original_local_part is postmaster then finish endif
if $original_local_part is abuse then finish endif
dnl allow bugtraq exploits through - assume readers competent
if $sender_address_domain matches "securityfocus.com" then finish endif
logfile /var/log/exim/filter_log 0640
dnl Empty envelope first
if $header_from: contains "@sexyfun.net"
then
fail text=09"This message has been rejected since it has\n\
=09=09the signature of a known virus in the header."
seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
then
dnl looks like a real error message - just ignore it
finish
endif
dnl Microsoft buffer overruns
if ${length_80:$header_date:} is not $header_date:
then
fail text=09"This message has been rejected because it has\n\
=09=09an overlength date field which can be used\n\
=09=09to subvert Microsoft mail programs\n\
=09=09The following URL has further information\n\
http://www.securityfocus.com/frames/...icle.html%3Fi=
d%3D61"
seen finish
endif
dnl Look for single part MIME messages with suspicious name extensions
dnl Check Content-Type header
if $header_content-type: matches "(?:file)?name=3D(\"[^\"]+\\\\.(?:BLOCKEXT=
S)(?:\\\\.)*\"|\\\\S+\\\\.(?:BLOCKEXTS)(?:\\\\.)*) "
then
logwrite "$`'tod_log Virus/hdr $`'message_id $`'1 <- $`'return_path"
fail text BLOCKTEXT
seen finish
endif
dnl Attempt to catch embedded VBS attachments
dnl in emails. These were used as the basis for
dnl the ILOVEYOU virus and its variants
dnl
if $message_body matches "(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disp=
osition:\\\\s*(?:attachment|inline));\\\\s*(?:file )?name=3D|begin\\\\s+[0-7=
]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:BLOCKEXTS)(?:\\\\.)*\"|\\\\S+\\\\.(?:BLOC KEXT=
S)(?:\\\\.)*)[\\\\s;]"
then
logwrite "$`'tod_log Virus/body $`'message_id $`'1 <- $`'return_path"
fail text BLOCKTEXT
seen finish
endif
dnl ### LIMITATIONS
dnl
dnl This filter tries to parse MIME with a regexp... that doesn't
dnl work too well. It will also only see the amount of the body
dnl specified in message_body_visible
dnl
dnl ### BASIS
dnl
dnl The regexp that is used to pickup MIME/uuencoded parts is replicated
dnl below (in perl format). You need to remember that exim converts
dnl newlines to spaces in the message_body variable.
dnl
dnl (?:Content-=09=09=09=09=09# start of content header
dnl (?:Type: (?>\s*)=09=09=09=09# rest of c/t header
dnl [\w-]+/[\w-]+=09=09=09=09# content-type (any)
dnl |Disposition: (?>\s*)=09=09=09# content-disposition hdr
dnl attachment)=09=09=09=09# content-disposition
dnl ;(?>\s*)=09=09=09=09=09# ; space or newline
dnl (?:file)?name=3D=09=09=09=09# filename=3D/name=3D
dnl |begin (?>\s+) [0-7]{3,4} (?>\s+)) =09=09# begin octal-mode
dnl (\"[^\"]+\.=09=09=09=09=09# quoted filename.
dnl=09(?:vb[se]=09=09=09=09# list of extns
dnl=09|ws[fh]
dnl=09|jse?
dnl=09|exe
dnl=09|com
dnl=09|bat)
dnl=09\"=09=09=09=09=09# end quote
dnl |[\w.-]+\.=09=09=09=09=09# unquoted filename.ext
dnl=09(?:vb[se]=09=09=09=09# list of extns
dnl=09|ws[fh]
dnl=09|jse?
dnl=09|exe
dnl=09|com
dnl=09|bat)
dnl )=09=09=09=09=09=09# end of filename capture
dnl [\s;]=09=09=09=09=09# trailing ;/space/newline
dnl
### [End]
-----------------------------< cut here >-------------------------------
about bypassing ZoneAlarm MailSafe. Whilst that in itself probably
doesn't concern exim-users, there's an interesting point raised about
filtering for Windows.
Windows ignores a trailing dot on a filename. "foo.exe." is the same as
"foo.exe".
This is my M4 source for my personal machine's virus filter, based
originally upon Nigel's filter. It bears an uncanny resemblance to M4
source used elsewhere, since I M4-ised both, independently.
The securityfocus bypass is for a simple reason: if someone's reading
BugTraq, assume they know what they're doing. Enough past examples of
live attacks posted to the list have led to those who can be educated
being so educated, and not reading BugTraq from a Windows box.
gm4 =3D=3D GNU m4, since OpenBSD's m4 didn't handle this at the time.
The trailing dnl-comment picking apart the regexp is a little dated.
I've added logging (at least, I don't think that was originally in
there). Neither postmaster@ nor abuse@ are filtered. This also blocks
files which are given as an "inline"-disposed MIME-part, not just
"attachment".
Hope this helps someone,
-----------------------------< cut here >-------------------------------
dnl Exim system filter file, in m4 format.
dnl $Id: system_filter.exim.m4,v 1.19 2002/04/03 01
09 root Exp $dnl Does not pass most comments through to output - keep it smaller
dnl The "Exim filter" line MUST EXIST AND BE FIRST
dnl Run: gm4 <system_filter.exim.m4 >system_filter.exim
dnl
# Exim filter -- don't delete this line
# File auto-generated from gnu-m4 src 'system_filter.exim.m4'
`#' Generated: syscmd(`date')dnl
# $Id: system_filter.exim.m4,v 1.19 2002/04/03 01
09 root Exp $dnl
define(BLOCKEXTS,`vb[se]|ws[fh]|jse?|exe|com|bat|chm|cmd|pif|sh[bs]|hta|as[=
dx]|ad[ep]|md[abew]|dll|ocx|scr|[ew]ml|nws|lnk')dnl
define(BLOCKTEXT,
=09`"This message has been rejected because it has an attachment\n\
=09of a type which is known to be vulnerable to security\n\
=09problems, such as holding exploit code for email-vectored\n\
=09viruses and worms.\n\
=09The attachment was called: $`'1\n\
=09If you meant to send this file then please\n\
=09package it up as a zip file and resend it."')dnl
if not first_delivery then finish endif
dnl Allow postmaster access
if $original_local_part is postmaster then finish endif
if $original_local_part is abuse then finish endif
dnl allow bugtraq exploits through - assume readers competent
if $sender_address_domain matches "securityfocus.com" then finish endif
logfile /var/log/exim/filter_log 0640
dnl Empty envelope first
if $header_from: contains "@sexyfun.net"
then
fail text=09"This message has been rejected since it has\n\
=09=09the signature of a known virus in the header."
seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
then
dnl looks like a real error message - just ignore it
finish
endif
dnl Microsoft buffer overruns
if ${length_80:$header_date:} is not $header_date:
then
fail text=09"This message has been rejected because it has\n\
=09=09an overlength date field which can be used\n\
=09=09to subvert Microsoft mail programs\n\
=09=09The following URL has further information\n\
http://www.securityfocus.com/frames/...icle.html%3Fi=
d%3D61"
seen finish
endif
dnl Look for single part MIME messages with suspicious name extensions
dnl Check Content-Type header
if $header_content-type: matches "(?:file)?name=3D(\"[^\"]+\\\\.(?:BLOCKEXT=
S)(?:\\\\.)*\"|\\\\S+\\\\.(?:BLOCKEXTS)(?:\\\\.)*) "
then
logwrite "$`'tod_log Virus/hdr $`'message_id $`'1 <- $`'return_path"
fail text BLOCKTEXT
seen finish
endif
dnl Attempt to catch embedded VBS attachments
dnl in emails. These were used as the basis for
dnl the ILOVEYOU virus and its variants
dnl
if $message_body matches "(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disp=
osition:\\\\s*(?:attachment|inline));\\\\s*(?:file )?name=3D|begin\\\\s+[0-7=
]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:BLOCKEXTS)(?:\\\\.)*\"|\\\\S+\\\\.(?:BLOC KEXT=
S)(?:\\\\.)*)[\\\\s;]"
then
logwrite "$`'tod_log Virus/body $`'message_id $`'1 <- $`'return_path"
fail text BLOCKTEXT
seen finish
endif
dnl ### LIMITATIONS
dnl
dnl This filter tries to parse MIME with a regexp... that doesn't
dnl work too well. It will also only see the amount of the body
dnl specified in message_body_visible
dnl
dnl ### BASIS
dnl
dnl The regexp that is used to pickup MIME/uuencoded parts is replicated
dnl below (in perl format). You need to remember that exim converts
dnl newlines to spaces in the message_body variable.
dnl
dnl (?:Content-=09=09=09=09=09# start of content header
dnl (?:Type: (?>\s*)=09=09=09=09# rest of c/t header
dnl [\w-]+/[\w-]+=09=09=09=09# content-type (any)
dnl |Disposition: (?>\s*)=09=09=09# content-disposition hdr
dnl attachment)=09=09=09=09# content-disposition
dnl ;(?>\s*)=09=09=09=09=09# ; space or newline
dnl (?:file)?name=3D=09=09=09=09# filename=3D/name=3D
dnl |begin (?>\s+) [0-7]{3,4} (?>\s+)) =09=09# begin octal-mode
dnl (\"[^\"]+\.=09=09=09=09=09# quoted filename.
dnl=09(?:vb[se]=09=09=09=09# list of extns
dnl=09|ws[fh]
dnl=09|jse?
dnl=09|exe
dnl=09|com
dnl=09|bat)
dnl=09\"=09=09=09=09=09# end quote
dnl |[\w.-]+\.=09=09=09=09=09# unquoted filename.ext
dnl=09(?:vb[se]=09=09=09=09# list of extns
dnl=09|ws[fh]
dnl=09|jse?
dnl=09|exe
dnl=09|com
dnl=09|bat)
dnl )=09=09=09=09=09=09# end of filename capture
dnl [\s;]=09=09=09=09=09# trailing ;/space/newline
dnl
### [End]
-----------------------------< cut here >-------------------------------