Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Blocking Email Attachments by file name?

Discussion in 'E-mail Discussion' started by Qasem_AM, Dec 28, 2018.

  1. Qasem_AM

    Qasem_AM Registered

    Joined:
    Nov 17, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I would like to blocking Email Attachments by the name of files for EX "test.html"

    I need to do it with Exim System Filter File to be for all users account not with user filter

    I was try with the command "if $message_body matches ="test.html" but here will catch the message which have txt test.html , but I want to catch the message which have Attachments with name "test.html"

    Any idea & hellp
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,266
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I don't know enough about this stuff, but what happens if you put forward slashes in there.
    "if $message_body matches ="/test.html/"
     
  3. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,254
    Likes Received:
    479
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    We do something similar to this in the default exim system filter file already. We just look for extensions specifically. Something like these could be modified to do what you're requesting:

    Code:
    if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
    then
      fail text "This message has been rejected because it has\n\
                 potentially executable content $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
    then
      fail text "This message has been rejected because it has\n\
                 potentially executable content $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,266
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Hi Lauren

    When you say that you have the above in the default system filter file, does this not get over written if exim config is rebuilt ?
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,266
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Actually, digging in my exim config, I found that my default was pointing to etc/antivirus.empty, which was in fact empty.
    Interesting find.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,254
    Likes Received:
    479
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @keat63

    Not that I have this, this is something we have in the file by default. Since this is something that cPanel implemented it won't be overwritten.

    I am assuming you're referencing the custom systemfilter file. I am referencing the default.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,266
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    If I open up exim config manager, and navigate to filters.
    My default 'System Filter File' is configured to use /etc/antivirus.empty.

    If I open that file, it is indeed empty.
    There is another file named antivirus.exim, which contains the regex you posted earlier.
    So I copied the contents to the .empty file with a view to monitor the output.

    This is not something I ever changed, so I've no idea why its defaulting to the .empty file, but I did find a post from a few years back highlighting the same problem and fix.

    I assume this is why some dodgy file extensions were getting passed through ??
     

    Attached Files:

  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,254
    Likes Received:
    479
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The /etc/cpanel_exim_system_filter is the default - this would have had to be changed at one point to reference the custom filter file. Possibly for use of a plugin. I'd suggest changing it back to the default.
    Definitely a possibility.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,266
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Appreciate that it's gone off topic, but it doesn't appear the OP has returned, so may as well keep this discussion open now we started.

    I don't have much in the way of plugins.

    ClamAV
    CSF Firewall
    CSF Mailscanner
    CSF Explorer

    Could any of these changed the default. ?
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,907
    Likes Received:
    484
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,266
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    rolled it back, thanks.
     
    cPanelLauren and Infopro like this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice