Trying to block zip attachments on incoming messages

[dyladan]

This is a very frustrating problem for me as it seems to sometimes work and other times not. I'm trying to block zip attachments from being delivered on my domain. I added the zip extension to the four lines in /etc/cpanel_exim_system_filter_custom and activated the custom filter in whm.

Now, if I email an email with a zip attachment from gmail it is properly rejected the way that I want, however we are still receiving mail from spammers with zip attachments. Furthermore, even though I think I have clamavconnector properly set up, it is still letting through zip attachments with executable files in them. Can someone please tell me what i'm doing wrong?

 

[keat63]

Did you restart Exim ?

Alternatively.
In Cpanel, Under User or Account Level Filtering.
Create a new Rule, where body > contains > .zip

I think should do it.

 

[cPanelMichael]

however we are still receiving mail from spammers with zip attachments.

Hello

What do you see in the message headers and in /var/log/exim_mainlog when a message with a zip attachment is accepted?

Thank you.

 

[dyladan]

Did you restart Exim ?

Alternatively.
In Cpanel, Under User or Account Level Filtering.
Create a new Rule, where body > contains > .zip

I think should do it.

I did restart exim.

I tried that and it doesn't appear to be working. My test emails from gmail are properly blocked but the spam emails are still coming through.

- - - Updated - - -

Hello

What do you see in the message headers and in /var/log/exim_mainlog when a message with a zip attachment is accepted?

Thank you.

2015-02-25 09:27:56 SMTP connection from [68.65.141.122]:22289 (TCP/IP connection count = 1)
2015-02-25 09:27:57 no IP address found for host cust122.telwestnet.net (during SMTP connection from [68.65.141.122]:22289)
2015-02-25 09:27:59 1YQcwR-0003rl-0Z H=(inbound.efax.com) [68.65.141.122]:22289 Warning: Message has been scanned: no virus or other harmful content was found
2015-02-25 09:27:59 1YQcwR-0003rl-0Z <= [email protected] H=(inbound.efax.com) [68.65.141.122]:22289 P=esmtp S=29239 [email protected] T="eFax message from \"POTS modem 2 \" - 1 page(s), Caller-ID:\n 1-630-226-2563" for [email protected]
2015-02-25 09:27:59 SMTP connection from (inbound.efax.com) [68.65.141.122]:22289 closed by QUIT
2015-02-25 09:27:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1YQcwR-0003rl-0Z
2015-02-25 09:27:59 1YQcwR-0003rl-0Z => adam.howe <[email protected]> R=virtual_user T=virtual_userdelivery
2015-02-25 09:27:59 1YQcwR-0003rl-0Z Completed

 

[cPanelMichael]

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[aerospex]

Was there an outcome with this one? We're having a similar issue, where only particular inbound email scenarios are blocking .zip files.

User admin > Account level filtering > Create New filter

Create new filter > Body > contains > .zip

Inbound emails with no text in the body of the email that have a zip file attached are blocked correctly.

Inbound emails with a small amount of text that have a zip file attached are blocked correctly.

Inbound emails with a moderate/large amount of HTML text in the body are allowed through. Seems to be if they're multi-part messages.

 

[cPanelMichael]

Hello

Does it make a difference if you use an alternate filter rule for the second regular expression in the Exim system filter? EX:

if $header_content-type: matches \N(?:file)?name\\s*=\\s*\"(?:\\\\\"|[^\"])*\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|zip|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\"\N

Documentation on the Exim system filter is available at:

Customize the Exim System Filter File

Thank you.

 

[aerospex]

I'd like to try that, but doesn't that rule then get applied to all accounts on the system? I only want this to be applied to one account in particular.

 

[cPanelMichael]

I'd like to try that, but doesn't that rule then get applied to all accounts on the system? I only want this to be applied to one account in particular.

The original poster was asking about the Exim system filter file. If you are attempting to block .zip attachments for individual accounts, then you will need to experiment with rules that are documented here:

How to Configure Mail Filters - cPanel Knowledge Base - cPanel Documentation

Try using a filter for the message header instead of the message body to see if that makes a difference.

Thank you.

 

[Deleted member 1020609]

Hello

Does it make a difference if you use an alternate filter rule for the second regular expression in the Exim system filter? EX:

if $header_content-type: matches \N(?:file)?name\\s*=\\s*\"(?:\\\\\"|[^\"])*\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|zip|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\"\N

Documentation on the Exim system filter is available at:

Customize the Exim System Filter File

Thank you.

HI @cPanelMichael ,
i have modified the default exim filter to block additional file types such as zip|7z|rar.
My question is can it be limited only to incoming messages and NOT outgoing?
Thank you

 

[Deleted member 1020609]

Was there an outcome with this one? We're having a similar issue, where only particular inbound email scenarios are blocking .zip files.

User admin > Account level filtering > Create New filter

Create new filter > Body > contains > .zip

Inbound emails with no text in the body of the email that have a zip file attached are blocked correctly.

Inbound emails with a small amount of text that have a zip file attached are blocked correctly.

Inbound emails with a moderate/large amount of HTML text in the body are allowed through. Seems to be if they're multi-part messages.

Is there any way to block the attachments in multi-part messages using Global Email filter-> body contains -> .zip?
I can confirm that these types (multi-part) can go through the filter.