The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trying to block zip attachments on incoming messages

Discussion in 'E-mail Discussions' started by dyladan, Feb 27, 2015.

  1. dyladan

    dyladan Registered

    Joined:
    Feb 27, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is a very frustrating problem for me as it seems to sometimes work and other times not. I'm trying to block zip attachments from being delivered on my domain. I added the zip extension to the four lines in /etc/cpanel_exim_system_filter_custom and activated the custom filter in whm.

    Now, if I email an email with a zip attachment from gmail it is properly rejected the way that I want, however we are still receiving mail from spammers with zip attachments. Furthermore, even though I think I have clamavconnector properly set up, it is still letting through zip attachments with executable files in them. Can someone please tell me what i'm doing wrong?
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Did you restart Exim ?

    Alternatively.
    In Cpanel, Under User or Account Level Filtering.
    Create a new Rule, where body > contains > .zip

    I think should do it.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    What do you see in the message headers and in /var/log/exim_mainlog when a message with a zip attachment is accepted?

    Thank you.
     
  4. dyladan

    dyladan Registered

    Joined:
    Feb 27, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I did restart exim.

    I tried that and it doesn't appear to be working. My test emails from gmail are properly blocked but the spam emails are still coming through.

    - - - Updated - - -

    Code:
    2015-02-25 09:27:56 SMTP connection from [68.65.141.122]:22289 (TCP/IP connection count = 1)
    2015-02-25 09:27:57 no IP address found for host cust122.telwestnet.net (during SMTP connection from [68.65.141.122]:22289)
    2015-02-25 09:27:59 1YQcwR-0003rl-0Z H=(inbound.efax.com) [68.65.141.122]:22289 Warning: Message has been scanned: no virus or other harmful content was found
    2015-02-25 09:27:59 1YQcwR-0003rl-0Z <= message@inbound.efax.com H=(inbound.efax.com) [68.65.141.122]:22289 P=esmtp S=29239 id=009189239053391022819490912155505@inbound.efax.com T="eFax message from \"POTS modem 2 \" - 1 page(s), Caller-ID:\n 1-630-226-2563" for user@domain.com
    2015-02-25 09:27:59 SMTP connection from (inbound.efax.com) [68.65.141.122]:22289 closed by QUIT
    2015-02-25 09:27:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1YQcwR-0003rl-0Z
    2015-02-25 09:27:59 1YQcwR-0003rl-0Z => adam.howe <user@domain.com> R=virtual_user T=virtual_userdelivery
    2015-02-25 09:27:59 1YQcwR-0003rl-0Z Completed
    
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  6. aerospex

    aerospex Member

    Joined:
    Nov 20, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Was there an outcome with this one? We're having a similar issue, where only particular inbound email scenarios are blocking .zip files.

    User admin > Account level filtering > Create New filter

    Create new filter > Body > contains > .zip

    Inbound emails with no text in the body of the email that have a zip file attached are blocked correctly.

    Inbound emails with a small amount of text that have a zip file attached are blocked correctly.

    Inbound emails with a moderate/large amount of HTML text in the body are allowed through. Seems to be if they're multi-part messages.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Does it make a difference if you use an alternate filter rule for the second regular expression in the Exim system filter? EX:

    Code:
    if $header_content-type: matches \N(?:file)?name\\s*=\\s*\"(?:\\\\\"|[^\"])*\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|zip|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\"\N
    Documentation on the Exim system filter is available at:

    Customize the Exim System Filter File

    Thank you.
     
  8. aerospex

    aerospex Member

    Joined:
    Nov 20, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I'd like to try that, but doesn't that rule then get applied to all accounts on the system? I only want this to be applied to one account in particular.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The original poster was asking about the Exim system filter file. If you are attempting to block .zip attachments for individual accounts, then you will need to experiment with rules that are documented here:

    How to Configure Mail Filters - cPanel Knowledge Base - cPanel Documentation

    Try using a filter for the message header instead of the message body to see if that makes a difference.

    Thank you.
     
Loading...

Share This Page