Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attachments: Filter messages with dangerous attachments

Discussion in 'E-mail Discussions' started by keat63, Feb 23, 2017.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    885
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    It seems that .JAR files are being recieved in emails, so I'm guessing that the above exim rule doesn't consider .JAR files dangerous, or the rule doesn't work.

    Do I need to add .JAR as a dangerous file in any sort of config ?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    885
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    seems straight forward enough, I'll give this a try.
     
    cPanelMichael likes this.
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Let us know if you encounter any difficulties when making the change.

    Thanks!
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    885
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I made the change, but it he entries have vanished.
    Does this defauly back to stock after a server or service restart


    Code:
    # Exim filter
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #  cPanel System Filter for EXIM                                                                                #
    #  VERSION = 2.0                                                                                                #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!      #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #   Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is      #
    #   next rebuilt. To have modifications retained, please use one of the following options:                      #
    #                                                                                                               #
    #    1)                                                                                                         #
    #      * Place each sysfilter block you wish to include in a unique file at:                                    #
    #            /usr/local/cpanel/etc/exim/sysfilter/options/                                                      #
    #      * Enable or disable the custom block in WHM using:                                                       #
    #          Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]  #
    #                                                                                                               #
    #    2)                                                                                                         #
    #      * Create a custom sysfilter file in /etc/                                                                #
    #      * Change the location of the sysfilter file in WHM using:                                                #
    #          Service Configuration => Exim Configuration Manager => Filters => System Filter File                 #
    #                                                                                                               #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!      #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #                                                                                                               #
    #  Only process once                                                                                            #
    #                                                                                                               #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    if not first_delivery
    then
      finish
    endif
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #                                                                                                               #
    #  Ignore "real" errors                                                                                         #
    #                                                                                                               #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    if error_message and $header_from: contains "Mailer-Daemon@"
    then
      finish
    endif
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    
    # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments
    # (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
    # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
    ## -----------------------------------------------------------------------
    # Look for single part MIME messages with suspicious name extensions
    # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
    then
      fail text "This message has been rejected because it has\n\
            potentially executable content $1\n\
            This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
            If you meant to send this file then please\n\
            package it up as a zip file and resend it."
      seen finish
    endif
    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
    then
      fail text "This message has been rejected because it has\n\
            potentially executable content $1\n\
            This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
            If you meant to send this file then please\n\
            package it up as a zip file and resend it."
      seen finish
    endif
    
    
    ## -----------------------------------------------------------------------
    # Attempt to catch embedded VBS attachments
    # in emails.   These were used as the basis for
    # the ILOVEYOU virus and its variants - many many varients
    # Quoted filename - [body_quoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
    then
      fail text "This message has been rejected because it has\n\
            a potentially executable attachment $1\n\
            This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
            If you meant to send this file then please\n\
            package it up as a zip file and resend it."
      seen finish
    endif
    # same again using unquoted filename [body_unquoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
    then
      fail text "This message has been rejected because it has\n\
            a potentially executable attachment $1\n\
            This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
            If you meant to send this file then please\n\
            package it up as a zip file and resend it."
      seen finish
    endif
    ## -----------------------------------------------------------------------
    
    
    
    #### Version history
    #
    # 0.01 5 May 2000
    #   Initial release
    # 0.02 8 May 2000
    #   Widened list of content-types accepted, added WSF extension
    # 0.03 8 May 2000
    #   Embedded the install notes in for those that don't do manuals
    # 0.04 9 May 2000
    #   Check global content-type header.  Efficiency mods to REs
    # 0.05 9 May 2000
    #   More minor efficiency mods, doc changes
    # 0.06 20 June 2000
    #   Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
    # 0.07 19 July 2000
    #   Latest MS Outhouse bug catching
    # 0.08 19 July 2000
    #   Changed trigger length to 80 chars, fixed some spelling
    # 0.09 29 September 2000
    #   More extensions... its getting so we should just allow 2 or 3 through
    # 0.10 18 January 2001
    #   Removed exclusion for error messages - this is a little nasty
    #   since it has other side effects, hence we do still exclude
    #   on unix like error messages
    # 0.11 20 March, 2001
    #   Added CMD extension, tidied docs slightly, added RCS tag
    #   ** Missed changing version number at top of file :-(
    # 0.12 10 May, 2001
    #   Added HTA extension
    # 0.13 22 May, 2001
    #   Reformatted regexps and code to build them so that they are
    #   shorter than the limits on pre exim 3.20 filters.  This will
    #   make them significantly less efficient, but I am getting so
    #   many queries about this that requiring 3.2x appears unsupportable.
    # 0.14 15 August,2001
    #   Added .lnk extension - most requested item :-)
    #   Reformatted everything so its now built from a set of short
    #   library files, cutting down on manual duplication.
    #   Changed \w in filename detection to . - dodges locale problems
    #   Explicit application of GPL after queries on license status
    # 0.15 17 August, 2001
    #   Changed the . in filename detect to \S (stops it going mad)
    # 0.16 19 September, 2001
    #   Pile of new extensions including the eml in current use
    # 0.17 19 September, 2001
    #   Syntax fix
    #
    #### Install Notes
    #
    # Exim filters run the exim filter language - a very primitive
    # scripting language - in place of a user .forward file, or on
    # a per system basis (on all messages passing through).
    # The filtering capability is documented in the main set of manuals
    # a copy of which can be found on the exim web site
    #   http://www.exim.org/
    #
    # To install, copy the filter file (with appropriate permissions)
    # to /etc/exim/system_filter.exim and add to your exim config file
    # [location is installation depedant - typicaly /etc/exim/config ]
    # in the first section the line:-
    #   message_filter = /etc/exim/system_filter.exim
    #   message_body_visible = 5000
    #
    # You may also want to set the message_filter_user & message_filter_group
    # options, but they default to the standard exim user and so can
    # be left untouched.  The other message_filter_* options are only
    # needed if you modify this to do other functions such as deliveries.
    # The main exim documentation is quite thorough and so I see no need
    # to expand it here...
    #
    # Any message that matches the filter will then be bounced.
    # If you wish you can change the error message by editing it
    # in the section above - however be careful you don't break it.
    #
    # After install exim should be restarted - a kill -HUP to the
    # daemon will do this.
    #
    #### LIMITATIONS
    #
    # This filter tries to parse MIME with a regexp... that doesn't
    # work too well.  It will also only see the amount of the body
    # specified in message_body_visible
    #
    #### BASIS
    #
    # The regexp that is used to pickup MIME/uuencoded body parts with
    # quoted filenames is replicated below (in perl format).  
    # You need to remember that exim converts newlines to spaces in
    # the message_body variable.
    #
    #     (?:Content-                   # start of content header
    #     (?:Type: (?>\s*)               # rest of c/t header
    #       [\w-]+/[\w-]+               # content-type (any)
    #       |Disposition: (?>\s*)           # content-disposition hdr
    #       attachment)                   # content-disposition
    #     ;(?>\s*)                   # ; space or newline
    #     (?:file)?name=               # filename=/name=
    #     |begin (?>\s+) [0-7]{3,4} (?>\s+))        # begin octal-mode
    #     (\"[^\"]+\.                   # quoted filename.
    #       (?:ad[ep]               # list of extns
    #       |ba[st]
    #       |chm
    #       |cmd
    #       |com
    #       |cpl
    #       |crt
    #       |eml
    #       |exe
    #       |hlp
    #       |hta
    #       |in[fs]
    #       |isp
    #       |jse?
    #       |lnk
    #       |md[be]
    #       |ms[cipt]
    #       |pcd
    #       |pif
    #       |reg
    #       |scr
    #       |sct
    #       |shs
    #       |url
    #       |vb[se]
    #       |ws[fhc])
    #     \"                       # end quote
    #     )                       # end of filename capture
    #     [\s;]                       # trailing ;/space/newline
    
    #
    #
    ### [End]
    # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments
    
    # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite
    # (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
    # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
    if "${if def:header_X-Spam-Subject: {there}}" is there
    then
        headers remove Subject
        headers add "Subject: $rh_X-Spam-Subject:"
        headers remove X-Spam-Subject
    endif
    # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite
    
    [\code]
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'll need to follow the steps in the previous part of that document:

    How to create a custom Exim system filter file

    Thus, when following those steps, you'd edit /etc/cpanel_system_filter_new instead of the actual /etc/cpanel_exim_system_filter file.

    Thank you.
     
Loading...

Share This Page