Trying to block zip attachments on incoming messages

dyladan

Registered
Feb 27, 2015
3
0
1
cPanel Access Level
Root Administrator
This is a very frustrating problem for me as it seems to sometimes work and other times not. I'm trying to block zip attachments from being delivered on my domain. I added the zip extension to the four lines in /etc/cpanel_exim_system_filter_custom and activated the custom filter in whm.

Now, if I email an email with a zip attachment from gmail it is properly rejected the way that I want, however we are still receiving mail from spammers with zip attachments. Furthermore, even though I think I have clamavconnector properly set up, it is still letting through zip attachments with executable files in them. Can someone please tell me what i'm doing wrong?
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Did you restart Exim ?

Alternatively.
In Cpanel, Under User or Account Level Filtering.
Create a new Rule, where body > contains > .zip

I think should do it.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
however we are still receiving mail from spammers with zip attachments.
Hello :)

What do you see in the message headers and in /var/log/exim_mainlog when a message with a zip attachment is accepted?

Thank you.
 

dyladan

Registered
Feb 27, 2015
3
0
1
cPanel Access Level
Root Administrator
Did you restart Exim ?

Alternatively.
In Cpanel, Under User or Account Level Filtering.
Create a new Rule, where body > contains > .zip

I think should do it.
I did restart exim.

I tried that and it doesn't appear to be working. My test emails from gmail are properly blocked but the spam emails are still coming through.

- - - Updated - - -

Hello :)

What do you see in the message headers and in /var/log/exim_mainlog when a message with a zip attachment is accepted?

Thank you.
Code:
2015-02-25 09:27:56 SMTP connection from [68.65.141.122]:22289 (TCP/IP connection count = 1)
2015-02-25 09:27:57 no IP address found for host cust122.telwestnet.net (during SMTP connection from [68.65.141.122]:22289)
2015-02-25 09:27:59 1YQcwR-0003rl-0Z H=(inbound.efax.com) [68.65.141.122]:22289 Warning: Message has been scanned: no virus or other harmful content was found
2015-02-25 09:27:59 1YQcwR-0003rl-0Z <= [email protected] H=(inbound.efax.com) [68.65.141.122]:22289 P=esmtp S=29239 [email protected] T="eFax message from \"POTS modem 2 \" - 1 page(s), Caller-ID:\n 1-630-226-2563" for [email protected]
2015-02-25 09:27:59 SMTP connection from (inbound.efax.com) [68.65.141.122]:22289 closed by QUIT
2015-02-25 09:27:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1YQcwR-0003rl-0Z
2015-02-25 09:27:59 1YQcwR-0003rl-0Z => adam.howe <[email protected]> R=virtual_user T=virtual_userdelivery
2015-02-25 09:27:59 1YQcwR-0003rl-0Z Completed
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

aerospex

Member
Nov 20, 2006
9
0
151
Was there an outcome with this one? We're having a similar issue, where only particular inbound email scenarios are blocking .zip files.

User admin > Account level filtering > Create New filter

Create new filter > Body > contains > .zip

Inbound emails with no text in the body of the email that have a zip file attached are blocked correctly.

Inbound emails with a small amount of text that have a zip file attached are blocked correctly.

Inbound emails with a moderate/large amount of HTML text in the body are allowed through. Seems to be if they're multi-part messages.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

Does it make a difference if you use an alternate filter rule for the second regular expression in the Exim system filter? EX:

Code:
if $header_content-type: matches \N(?:file)?name\\s*=\\s*\"(?:\\\\\"|[^\"])*\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|zip|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\"\N
Documentation on the Exim system filter is available at:

Customize the Exim System Filter File

Thank you.
 

aerospex

Member
Nov 20, 2006
9
0
151
I'd like to try that, but doesn't that rule then get applied to all accounts on the system? I only want this to be applied to one account in particular.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
I'd like to try that, but doesn't that rule then get applied to all accounts on the system? I only want this to be applied to one account in particular.
The original poster was asking about the Exim system filter file. If you are attempting to block .zip attachments for individual accounts, then you will need to experiment with rules that are documented here:

How to Configure Mail Filters - cPanel Knowledge Base - cPanel Documentation

Try using a filter for the message header instead of the message body to see if that makes a difference.

Thank you.
 

zgrek20

Member
Aug 28, 2020
13
0
1
Greece
cPanel Access Level
Root Administrator
Hello :)

Does it make a difference if you use an alternate filter rule for the second regular expression in the Exim system filter? EX:

Code:
if $header_content-type: matches \N(?:file)?name\\s*=\\s*\"(?:\\\\\"|[^\"])*\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|zip|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\"\N
Documentation on the Exim system filter is available at:

Customize the Exim System Filter File

Thank you.
HI @cPanelMichael ,
i have modified the default exim filter to block additional file types such as zip|7z|rar.
My question is can it be limited only to incoming messages and NOT outgoing?
Thank you
 

zgrek20

Member
Aug 28, 2020
13
0
1
Greece
cPanel Access Level
Root Administrator
Was there an outcome with this one? We're having a similar issue, where only particular inbound email scenarios are blocking .zip files.

User admin > Account level filtering > Create New filter

Create new filter > Body > contains > .zip

Inbound emails with no text in the body of the email that have a zip file attached are blocked correctly.

Inbound emails with a small amount of text that have a zip file attached are blocked correctly.

Inbound emails with a moderate/large amount of HTML text in the body are allowed through. Seems to be if they're multi-part messages.
Is there any way to block the attachments in multi-part messages using Global Email filter-> body contains -> .zip?
I can confirm that these types (multi-part) can go through the filter.
 
Last edited: