Exim System Filter fail

RootBoy

Registered
Dec 6, 2016
4
2
3
Texas, USA
cPanel Access Level
Root Administrator
We've had a custom /etc/cpanel_exim_system_new filter for several years that excludes .zip and .z attachments. We added "Z" to both the "body_quoted" and "body_unquoted" section of the filter file like this:

# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jar|jse?|lnk|md[be]|ms[cipt]|pcd|pif|rar|reg|scr|sct|shs|url|vb[se]|ws[fhc]|zip|Z)\")[\\\\s;]"

Today an email with a .z attachment slipped thru the filter. I just sent myself several attachments with either ".z" or ".Z" extensions, blanks in the filename, "Windows friendly" and all bounced as expected. Here's a clip from the email that got thru the filter:

------=_NextPart_000_0012_FCC05329.0E9404B9
Content-Type: application/octet-stream; name="Quotation request.z"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Quotation request.z"

Anyone know how this might have got thru the filter or where to look for clues?
 
Last edited by a moderator:

RootBoy

Registered
Dec 6, 2016
4
2
3
Texas, USA
cPanel Access Level
Root Administrator
We have only three whitelisted IP ranges from collaborators. I confirmed the IP of the email in question is not in those ranges.

The target account has a couple spam filters, followed by the final filter that redirects the email to three other accounts. To confirm the exim attachment filter that bounces .z attachments actions first, I sent a dummy .z attachment to the same account and it bounced including these lines in exim_mainlog:

cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lyeJp-0003PR-A5
1lyeJp-0003PR-A5 cancelled by system filter: Message rejected because it has\npotentially executable content "three file.z".
cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1lyeJp-0003PR-A5
1lyeJr-0003PY-E8 <= <> R=1lyeJp-0003PR-A5 U=mailnull P=local S=2584 T="Mail delivery failed: returning message to sender" for [email protected]


The message that got thru has 6 entries in exim_mainlog, condensed and cleaned here:

1ly7ie-000Q3H-G5 H=(bizcloud-cep.localdomain) [128.199.21.82]:52016 Warning: Message has been scanned: no virus or other harmful content was found

1ly7ie-000Q3H-G5 <= [email protected] H=(bizcloud-cep.localdomain) [128.199.21.82]:52016 P=esmtp S=357448 id=[email protected] T="Quotation request" for [email protected]

cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ly7ie-000Q3H-G5

1ly7ie-000Q3H-G5 => larry+xyz ("larry+xyz"@mydomain.com, [email protected]) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> MfCeI9/E2mBohwEAAdGtpg Saved"

1ly7ie-000Q3H-G5 -> moe+xyz ("moe+xyz"@mydomain.com, [email protected]) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> MfCeI9/E2mBohwEAAdGtpg:2 Saved"

1ly7ie-000Q3H-G5 -> curly+xyz ("curly+xyz"@mydomain.com, [email protected]) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> MfCeI9/E2mBohwEAAdGtpg:3 Saved"

1ly7ie-000Q3H-G5 Completed
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,923
912
313
cPanel Access Level
Root Administrator
Thanks for the additional details. That doesn't really tell us much, although it does indicate the filter was read as we don't see the typical "central_filter bypassed" that appears on many systems.

I really don't have a good explanation based on those details. You're always welcome to open a ticket with our team if you wanted us to check the system directly.
 

RootBoy

Registered
Dec 6, 2016
4
2
3
Texas, USA
cPanel Access Level
Root Administrator
Thank You. As you suggested, precedence order can be confusing. Similar to the "bug/feature request" in which several filter actions (e.g. Discard Message) mysteriously cause the auto-responder not to trigger and/or filters to function.
 
  • Like
Reactions: cPRex