Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block custom attachments EXIM issue

Discussion in 'E-mail Discussions' started by EneTar, Jan 24, 2018.

Tags:
  1. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Following the instructions from How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation

    I have created a custom system filter at /etc/cpanel_exim_system_filter_custom by copying the /etc/cpanel_exim_system_filter file then I chose that file at WHM >> Home >> Service Configuration >> Exim Configuration Manager >> Basic Editor section >> Filters tab >> System Filter File

    At this point the 2 rules form the Filters tab
    Attachments: Filter messages with dangerous attachments
    Apache SpamAssassin™: Global Subject Rewrite are blurred


    Content of /etc/cpanel_exim_system_filter_custom :
    Code:
    # Exim filter
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #  cPanel System Filter for EXIM                                                                                #
    #  VERSION = 2.0                                                                                                #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!      #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #   Direct modifications to the /etc/cpanel_exim_system_filter file will be lost when the configuration is      #
    #   next rebuilt. To have modifications retained, please use one of the following options:                      #
    #                                                                                                               #
    #    1)                                                                                                         #
    #      * Place each sysfilter block you wish to include in a unique file at:                                    #
    #            /usr/local/cpanel/etc/exim/sysfilter/options/                                                      #
    #      * Enable or disable the custom block in WHM using:                                                       #
    #          Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]  #
    #                                                                                                               #
    #    2)                                                                                                         #
    #      * Create a custom sysfilter file in /etc/                                                                #
    #      * Change the location of the sysfilter file in WHM using:                                                #
    #          Service Configuration => Exim Configuration Manager => Filters => System Filter File                 #
    #                                                                                                               #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!DO NOT MODIFY THIS FILE DIRECTLY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!      #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #                                                                                                               #
    #  Only process once                                                                                            #
    #                                                                                                               #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    if not first_delivery
    then
      finish
    endif
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #                                                                                                               #
    #  Ignore "real" errors                                                                                         #
    #                                                                                                               #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    if error_message and $header_from: contains "Mailer-Daemon@"
    then
      finish
    endif
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    
    # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments
    # (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
    # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
    ## -----------------------------------------------------------------------
    # Look for single part MIME messages with suspicious name extensions
    # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|jar|ace|r00|iso|z|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
    then
      fail text "This message has been rejected because it has\n\
             potentially executable content $1\n\
             This form of attachment has been used by\n\
                 recent viruses or other malware."
                                                 
                                               
      seen finish
    endif
    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|jar|ace|r00|iso|z|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
    then
      fail text "This message has been rejected because it has\n\
             potentially executable content $1\n\
             This form of attachment has been used by\n\
                 recent viruses or other malware."
                                                 
                                               
      seen finish
    endif
    
    
    ## -----------------------------------------------------------------------
    # Attempt to catch embedded VBS attachments
    # in emails.   These were used as the basis for
    # the ILOVEYOU virus and its variants - many many varients
    # Quoted filename - [body_quoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|jar|ace|r00|iso|z|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
    then
      fail text "This message has been rejected because it has\n\
             a potentially executable attachment $1\n\
             This form of attachment has been used by\n\
                 recent viruses or other malware."
                                                 
                                               
      seen finish
    endif
    # same again using unquoted filename [body_unquoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|jar|ace|r00|iso|z|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
    then
      fail text "This message has been rejected because it has\n\
             a potentially executable attachment $1\n\
             This form of attachment has been used by\n\
                 recent viruses or other malware."
                                                 
                                               
      seen finish
    endif
    ## -----------------------------------------------------------------------
    
    
    
    #### Version history
    #
    # 0.01 5 May 2000
    #    Initial release
    # 0.02 8 May 2000
    #    Widened list of content-types accepted, added WSF extension
    # 0.03 8 May 2000
    #    Embedded the install notes in for those that don't do manuals
    # 0.04 9 May 2000
    #    Check global content-type header.  Efficiency mods to REs
    # 0.05 9 May 2000
    #    More minor efficiency mods, doc changes
    # 0.06 20 June 2000
    #    Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
    # 0.07 19 July 2000
    #    Latest MS Outhouse bug catching
    # 0.08 19 July 2000
    #    Changed trigger length to 80 chars, fixed some spelling
    # 0.09 29 September 2000
    #    More extensions... its getting so we should just allow 2 or 3 through
    # 0.10 18 January 2001
    #    Removed exclusion for error messages - this is a little nasty
    #    since it has other side effects, hence we do still exclude
    #    on unix like error messages
    # 0.11 20 March, 2001
    #    Added CMD extension, tidied docs slightly, added RCS tag
    #    ** Missed changing version number at top of file :-(
    # 0.12 10 May, 2001
    #    Added HTA extension
    # 0.13 22 May, 2001
    #    Reformatted regexps and code to build them so that they are
    #    shorter than the limits on pre exim 3.20 filters.  This will
    #    make them significantly less efficient, but I am getting so
    #    many queries about this that requiring 3.2x appears unsupportable.
    # 0.14 15 August,2001
    #    Added .lnk extension - most requested item :-)
    #    Reformatted everything so its now built from a set of short
    #    library files, cutting down on manual duplication.
    #    Changed \w in filename detection to . - dodges locale problems
    #    Explicit application of GPL after queries on license status
    # 0.15 17 August, 2001
    #    Changed the . in filename detect to \S (stops it going mad)
    # 0.16 19 September, 2001
    #    Pile of new extensions including the eml in current use
    # 0.17 19 September, 2001
    #    Syntax fix
    #
    #### Install Notes
    #
    # Exim filters run the exim filter language - a very primitive
    # scripting language - in place of a user .forward file, or on
    # a per system basis (on all messages passing through).
    # The filtering capability is documented in the main set of manuals
    # a copy of which can be found on the exim web site
    #    http://www.exim.org/
    #
    # To install, copy the filter file (with appropriate permissions)
    # to /etc/exim/system_filter.exim and add to your exim config file
    # [location is installation depedant - typicaly /etc/exim/config ]
    # in the first section the line:-
    #    message_filter = /etc/exim/system_filter.exim
    #    message_body_visible = 5000
    #
    # You may also want to set the message_filter_user & message_filter_group
    # options, but they default to the standard exim user and so can
    # be left untouched.  The other message_filter_* options are only
    # needed if you modify this to do other functions such as deliveries.
    # The main exim documentation is quite thorough and so I see no need
    # to expand it here...
    #
    # Any message that matches the filter will then be bounced.
    # If you wish you can change the error message by editing it
    # in the section above - however be careful you don't break it.
    #
    # After install exim should be restarted - a kill -HUP to the
    # daemon will do this.
    #
    #### LIMITATIONS
    #
    # This filter tries to parse MIME with a regexp... that doesn't
    # work too well.  It will also only see the amount of the body
    # specified in message_body_visible
    #
    #### BASIS
    #
    # The regexp that is used to pickup MIME/uuencoded body parts with
    # quoted filenames is replicated below (in perl format).
    # You need to remember that exim converts newlines to spaces in
    # the message_body variable.
    #
    #      (?:Content-                    # start of content header
    #      (?:Type: (?>\s*)                # rest of c/t header
    #        [\w-]+/[\w-]+                # content-type (any)
    #        |Disposition: (?>\s*)            # content-disposition hdr
    #        attachment)                    # content-disposition
    #      ;(?>\s*)                    # ; space or newline
    #      (?:file)?name=                # filename=/name=
    #      |begin (?>\s+) [0-7]{3,4} (?>\s+))         # begin octal-mode
    #      (\"[^\"]+\.                    # quoted filename.
    #        (?:ad[ep]                # list of extns
    #        |ba[st]
    #        |chm
    #        |cmd
    #        |com
    #        |cpl
    #        |crt
    #        |eml
    #        |exe
    #        |hlp
    #        |hta
    #        |in[fs]
    #        |isp
    #        |jse?
    #        |lnk
    #        |md[be]
    #        |ms[cipt]
    #        |pcd
    #        |pif
    #        |reg
    #        |scr
    #        |sct
    #        |shs
    #        |url
    #        |vb[se]
    #        |ws[fhc])
    #      \"                        # end quote
    #      )                        # end of filename capture
    #      [\s;]                        # trailing ;/space/newline
    
    #
    #
    ### [End]
    # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/attachments
    
    # BEGIN - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite
    # (Use the Basic Editor in the Exim Configuration Manager in WHM to change)
    # or manually edit /etc/exim.conf.localopts and run /scripts/buildeximconf
    if "${if def:header_X-Spam-Subject: {there}}" is there
    then
        headers remove Subject
        headers add "Subject: $rh_X-Spam-Subject:"
        headers remove X-Spam-Subject
    endif
    # END - Included from /usr/local/cpanel/etc/exim/sysfilter/options/spam_rewrite
    
    I have added some custom extensions for the attachments as described in the documentation.

    However When I try to send the iso file which exists inside the attached zip the message hits the inbox. I have noticed this with jar files as well. What am I doing wrong?

    Please note that the file inside the attachment (not the attachment itself) is marked by security software as a security threat. So please don't execute this file.



    - Removed No Need Here -
     
    #1 EneTar, Jan 24, 2018
    Last edited: Jan 24, 2018
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    In "WHM >> Exim Configuration Manager", under the "Filters" tab, are you using a custom filter for the "System Filter File" option? If so, you'd need to add your custom filter rules to that custom system filter file itself instead of adding them as separate filter files under the options directory. There's a thread on this topic at:

    Exim custom filter not working

    Thank you.
     
  3. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    As I said
    and I have selected that file in Exim Configuration Manager", under the "Filters" tab.

    My post also includes the content of that file which is a copy of the original and has some additional extensions to be blocked. Please look at the content of the file above. It includes the extensions ace|jar|r00|iso in addition to the defaults.
    So what you are saying
    is true. The custom system filter contains the additional extensions.

    Trying to send from an external email account (Yahoo) the file I attached earlier which is an .iso file it hits the inbox on my server. Shouldn't it get blocked?
     
  4. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    I don't know what other services should I restart (I tried to restart only Exim). After a full system restart it seems that it works. Thank you
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Exim restarts automatically when you save changes in the Exim Configuration Manager interface. Can you confirm the issue is now solved?

    Thank you.
     
  6. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Yes it is resolved thank you
     
    cPanelMichael likes this.
  7. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    I made several tests by attaching a single .ace file.
    • I used a yahoo account as a sender
    • As a recipient I used the same email address on my cpanel server.
    • All email messages had as an attachment the same .ace file.
    • The only thing I changed was the text of the subject and the text content of the body.
    For 10 tests that I made i noticed that some tests returned with error to the sender and some of the them got delivered into the recipient's inbox.

    So what does Exim do exactly? Does it apply the system filter randomly?
    Then I noticed the block below which is copied from the /etc/cpanel_exim_system_filter to my custom system filter.

    Code:
    if not first_delivery
    then
      finish
    endif
    
    What does this mean? Is this the reason?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Per Exim's documentation:

    Thus, I don't believe that's the reason for the behavior you noticed.

    Could you open a support ticket using the link in my signature so we can take a closer look at that behavior?

    Thank you.
     
  9. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    I noticed that the messages that bypass the filter have the filename of the attachment as base64 encoded that's why EXIM doesn't filter them out.

    For example one message that bypassed the filter has
    Code:
    Content-Type: application/octet-stream
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
     filename="=?UTF-8?b?UFJPRk9STUEgSU5WT0lDRSAwNi0wMi0yMDE4LmFjZQ==?="
    ....
    ..
    .
    
    However this

    Code:
    UFJPRk9STUEgSU5WT0lDRSAwNi0wMi0yMDE4LmFjZQ==
    is base64 encoded and it is equal to
    Code:
    PROFORMA INVOICE 06-02-2018.ace
    Reminder: .ace extensions are blocked in my custom EXIM system filter.

    So is there any way to base64 decode the filenames before filtering in Exim or perhaps spamassassin?
     
    #9 EneTar, Feb 8, 2018
    Last edited: Feb 8, 2018
  10. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Can you not do a string comparison on LmFjZQ== which is the .ace part ?
     
    EneTar likes this.
  11. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Good idea so the

    Code:
    ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|jar|ace|r00|iso|z|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]
    should become

    Code:
    ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|jar|LmFjZQ==|ace|r00|iso|z|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]
    Going to test in a while
     
  12. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    If that doesn't work (I suspect it wont because it includes a leading "." and the regex is looking for anything after the ".") you may need to experiment.

    I don't think that including it in the current regex for file extensions is going to be possible. You may need to add a supplemental set of header and body regex lines.

    This site might be useful : Base64 Decode and Encode - Online
     
  13. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    It doesn't work. I'm using that website as well. "PO-2018-30-01 - ape.ace" and "Filename-something.ace" have different endings. so the whole filename needs to be decoded first. Any ideas how this would work? I'm not an expert in base64 encoding and I'm not sure if it is possible in Exim either.
     
  14. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I got about as far as finding a regex that you may be able to use to check if a header is base64 encoded
    Code:
    ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$
    I now have a headache !
     
  15. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Rejecting base64 headers in general might not be a good idea. Here is some info as well regarding base64 headers (and other stuff as well) Filtering spam with Exim only

    Nothing about decoding though, and filtering later the base64 filename in the attachment.
     
  16. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I suspect that the complexities of base64 decoding and then filtering would be beyond the scope of exim on its own. It would probably be handled by piping to an external program for processing like to Spamassassin or Clamav.

    I know that Spamassassin has scores for invalid characters in base64 encoding, and maybe Clamav also decodes the base64. Perhaps one could do something at this stage rather than re-inventing the wheel.
     
Loading...

Share This Page