Blocking Email Attachments by file name?

Qasem_AM

Registered
Nov 17, 2018
2
0
1
India
cPanel Access Level
Root Administrator
Hello,

I would like to blocking Email Attachments by the name of files for EX "test.html"

I need to do it with Exim System Filter File to be for all users account not with user filter

I was try with the command "if $message_body matches ="test.html" but here will catch the message which have txt test.html , but I want to catch the message which have Attachments with name "test.html"

Any idea & hellp
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
I don't know enough about this stuff, but what happens if you put forward slashes in there.
"if $message_body matches ="/test.html/"
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
We do something similar to this in the default exim system filter file already. We just look for extensions specifically. Something like these could be modified to do what you're requesting:

Code:
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
then
  fail text "This message has been rejected because it has\n\
             potentially executable content $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
then
  fail text "This message has been rejected because it has\n\
             potentially executable content $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
Hi Lauren

When you say that you have the above in the default system filter file, does this not get over written if exim config is rebuilt ?
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
Actually, digging in my exim config, I found that my default was pointing to etc/antivirus.empty, which was in fact empty.
Interesting find.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
Hi @keat63

Not that I have this, this is something we have in the file by default. Since this is something that cPanel implemented it won't be overwritten.

Actually, digging in my exim config, I found that my default was pointing to etc/antivirus.empty, which was in fact empty.
Interesting find.
I am assuming you're referencing the custom systemfilter file. I am referencing the default.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
If I open up exim config manager, and navigate to filters.
My default 'System Filter File' is configured to use /etc/antivirus.empty.

If I open that file, it is indeed empty.
There is another file named antivirus.exim, which contains the regex you posted earlier.
So I copied the contents to the .empty file with a view to monitor the output.

This is not something I ever changed, so I've no idea why its defaulting to the .empty file, but I did find a post from a few years back highlighting the same problem and fix.

I assume this is why some dodgy file extensions were getting passed through ??
 

Attachments

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
The /etc/cpanel_exim_system_filter is the default - this would have had to be changed at one point to reference the custom filter file. Possibly for use of a plugin. I'd suggest changing it back to the default.
I assume this is why some dodgy file extensions were getting passed through ??
Definitely a possibility.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
Appreciate that it's gone off topic, but it doesn't appear the OP has returned, so may as well keep this discussion open now we started.

I don't have much in the way of plugins.

ClamAV
CSF Firewall
CSF Mailscanner
CSF Explorer

Could any of these changed the default. ?