Block .zip attachments using Global Filters

Deleted member 1020609 · Oct 30, 2020

Hi.
i have created a global filter that discards the incoming email if Body contains .zip string or body contains x-zip-compressed string.
The filter works fine in non-multi part messages BUT I can confirm that multi-part messages can go through the filter.

For example this message can go through the filter :



------=_NextPart_001_0056_01D6AEAD.66B2FDF0--



------=_NextPart_000_0055_01D6AEAD.66B2FDF0

Content-Type: application/x-zip-compressed;

name="FILE.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="FILE.zip"

Is there any way to block the attachments in multi-part messages using Global Email filter-> body contains -> .zip?

keat63 · Oct 30, 2020

You can do this by changing the exim system filter.

How to Customize the Exim System Filter File | cPanel & WHM Documentation

The Exim system filter file scans messages that your server has received, but that it has not yet delivered. To add custom filter rules to your Exim configuration, you may either create custom filter rule files for Exim to include in its configuration, or create a custom Exim system filter file.

docs.cpanel.net

cPRex · Oct 30, 2020

@keat63 always has good answers on these email threads :D

Using the main Exim system filter is the way to go here, but let us know if you need more details.

Deleted member 1020609 · Jan 28, 2021

@cPRex and @keat63 thank you very much for your answers.
I actually made a separate exim filter file in which i just copied the old one and added a couple of new attachment extensions (such as jar rar zip xlsm docm bat).
Then i configured exim to use this file by WHM-> exim configuration-> filters -> System filter (see attached image).
BUT when i enable it everything seems to stop working. I cannot RECEIVEor SEND ANY email. It just fails without a bounce or message.
When i set it back to the original filter everything seems to work again.
You can find the new filter here.
Can you please give me some ideas on what could possibly is going wrong?
Thanks.

cPRex · Jan 28, 2021

I'm not able to see the customized version of the file you linked as that seems to have been removed. Could you paste the line you modified here so we can see that?

Deleted member 1020609 · Jan 29, 2021

@cPRex i reuploaded the custom filter file here

cPRex · Jan 29, 2021

Thanks for the additional details. I tried using that filter on my server and I received this error when trying to send a message in the /var/log/exim_mainlog file:

Code:

2021-01-29 09:25:20 1l5Ui8-009hit-0w Error in system filter: quote missing at end of string in line 63

Can you double-check the settings in that custom file?

Deleted member 1020609 · Feb 6, 2021

@cPRex thanks for the feedback,
i ll give it a try re copying and rediting the file, since i think that this might be possibly an encoding issue while editing (windows / unix).

Another question now.
Inside the documentation it says that this filter only blocks SINGLE part messages : How to Customize the Exim System Filter File | cPanel & WHM Documentation
"

The /etc/cpanel_exim_system_filter file is the system’s default filter file. It contains the following sections:

Single-part MIME messages with suspicious name extensions.
Single-part MIME messages with suspicious name extensions that use unquoted filenames.
Embedded VBS attachments.
Embedded VBS attachments that use unquoted filenames.

"
So, are we sure that this approach also works for multi - part messages?
And is there a way to limit the custom filter only for incoming messages and NOT outgoiing?
Thank you.

cPRex · Feb 8, 2021

Honestly, when it comes to email, I'm not sure if *anyone* is completely sure on anything :D

With earlier testing on this we found it does not include multi-part messages:

Trying to block zip attachments on incoming messages

This is a very frustrating problem for me as it seems to sometimes work and other times not. I'm trying to block zip attachments from being delivered on my domain. I added the zip extension to the four lines in /etc/cpanel_exim_system_filter_custom and activated the custom filter in whm. Now...

forums.cpanel.net

and that user was getting into regex conditions to try and setup custom filters.

I'm sure it's possible, but it might be a better question for the Exim users list as that wouldn't be specifically related to the cPanel tools.

Thread starter	Similar threads	Forum	Replies	Date
	SOLVED Query to URIBL was blocked - pDNS & Bind	Email	9	May 21, 2023
J	cPanel blocking incoming e-mail before EXIM rewrite or router	Email	7	May 3, 2023
D	Webmail: the system user has exceeded its allotted quota of disk blocks.	Email	3	Mar 8, 2023
D	Trying to block zip attachments on incoming messages	Email	10	Feb 27, 2015
A	Block .zip files in WHM? (via Mail Server?)	Email	2	Oct 16, 2004

Search

Search

Block .zip attachments using Global Filters

Deleted member 1020609

Guest

keat63

Well-Known Member

How to Customize the Exim System Filter File | cPanel & WHM Documentation

cPRex

Jurassic Moderator

Deleted member 1020609

Guest

Attachments

cPRex

Jurassic Moderator

Deleted member 1020609

Guest

cPRex

Jurassic Moderator

Deleted member 1020609

Guest

cPRex

Jurassic Moderator

Trying to block zip attachments on incoming messages