Block .zip attachments using Global Filters

zgrek20

Member
Aug 28, 2020
13
0
1
Greece
cPanel Access Level
Root Administrator
Hi.
i have created a global filter that discards the incoming email if Body contains .zip string or body contains x-zip-compressed string.
The filter works fine in non-multi part messages BUT I can confirm that multi-part messages can go through the filter.

For example this message can go through the filter :

------=_NextPart_001_0056_01D6AEAD.66B2FDF0--

------=_NextPart_000_0055_01D6AEAD.66B2FDF0
Content-Type: application/x-zip-compressed;
name="FILE.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="FILE.zip"



Is there any way to block the attachments in multi-part messages using Global Email filter-> body contains -> .zip?
 
Last edited by a moderator:

keat63

Well-Known Member
Nov 20, 2014
1,904
254
113
cPanel Access Level
Root Administrator
You can do this by changing the exim system filter.
 

zgrek20

Member
Aug 28, 2020
13
0
1
Greece
cPanel Access Level
Root Administrator
@cPRex and @keat63 thank you very much for your answers.
I actually made a separate exim filter file in which i just copied the old one and added a couple of new attachment extensions (such as jar rar zip xlsm docm bat).
Then i configured exim to use this file by WHM-> exim configuration-> filters -> System filter (see attached image).
BUT when i enable it everything seems to stop working. I cannot RECEIVEor SEND ANY email. It just fails without a bounce or message.
When i set it back to the original filter everything seems to work again.
You can find the new filter here.
Can you please give me some ideas on what could possibly is going wrong?
Thanks.
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,453
561
273
cPanel Access Level
Root Administrator
Thanks for the additional details. I tried using that filter on my server and I received this error when trying to send a message in the /var/log/exim_mainlog file:

Code:
2021-01-29 09:25:20 1l5Ui8-009hit-0w Error in system filter: quote missing at end of string in line 63
Can you double-check the settings in that custom file?
 

zgrek20

Member
Aug 28, 2020
13
0
1
Greece
cPanel Access Level
Root Administrator
@cPRex thanks for the feedback,
i ll give it a try re copying and rediting the file, since i think that this might be possibly an encoding issue while editing (windows / unix).

Another question now.
Inside the documentation it says that this filter only blocks SINGLE part messages : How to Customize the Exim System Filter File | cPanel & WHM Documentation
"

The /etc/cpanel_exim_system_filter file is the system’s default filter file. It contains the following sections:

  • Single-part MIME messages with suspicious name extensions.
  • Single-part MIME messages with suspicious name extensions that use unquoted filenames.
  • Embedded VBS attachments.
  • Embedded VBS attachments that use unquoted filenames.
"
So, are we sure that this approach also works for multi - part messages?
And is there a way to limit the custom filter only for incoming messages and NOT outgoiing?
Thank you.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,453
561
273
cPanel Access Level
Root Administrator
Honestly, when it comes to email, I'm not sure if *anyone* is completely sure on anything :D

With earlier testing on this we found it does not include multi-part messages:


and that user was getting into regex conditions to try and setup custom filters.

I'm sure it's possible, but it might be a better question for the Exim users list as that wouldn't be specifically related to the cPanel tools.