Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
I'm trying to figure out how to block certain malicious attachments from malware emails like .zip, .rar, pdf.z. Someone please explain because using the email account filter in cPanel is not working, with 'any header' option selected.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello,

The filter doen't contain support for those file types. By default it looks for the following extensions:

Code:
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
You can create your own exim filter to strip these using the instructions here: How to Customize the Exim System Filter File | cPanel & WHM Documentation
 

zgrek20

Member
Aug 28, 2020
13
0
1
Greece
cPanel Access Level
Root Administrator
Hello,

The filter doen't contain support for those file types. By default it looks for the following extensions:

Code:
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
You can create your own exim filter to strip these using the instructions here: How to Customize the Exim System Filter File | cPanel & WHM Documentation
i have modified the default exim filter to block additional file types such as zip|7z|rar.
My question is can it be limited only to incoming messages and NOT outgoing?
Thank you
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
I believe in order to do this, you'd move away from a system filter to utilize an ACL which would be a customization but you can read about these here:


And I would suggest for more in-depth assistance with something like this you query the Exim Users mailing list here: Exim-users