--On 26 October 2006 14:25:11 +0200 Marcin Krol <[EMAIL PROTECTED]> wrote:
> Hello everyone, > > I'm an Exim newbie, so please don't get annoyed if issues I raise seem > obvious to you. :-) > > I get some legitimate mail discarded by Exim system_filter and the only > effect visible > in logs is this: It looks like the only items that are discarded without log entries are these: if $header_subject contains "rice" then unseen finish endif if $header_subject contains "rize" then unseen finish endif I think they're intended to reject "[Pp]ri[cz]e", but you already have checks for those, which do log. These entries will discard a lot of legitimate email, if you get email in English. There are over 500 english words containing rice or rize! <http://www.morewords.com/> Best advice is to remove all those tests for simple strings in the subject line. > > /var/log/exim/mainlog.1:2006-10-24 12:22:34 1GcJQR-000DuK-WD => > discarded (system filter) > /var/log/exim/mainlog.1:2006-10-24 12:22:34 1GcJQR-000DuK-WD Completed > > A few attachments (Excel, Word files, etc) make the system filter > discard the mail FROM > this particular user and some other users, but without specifying any > further reason or hint how > to prevent this from happening. What's weird is that another account in > the very same domain > does not have this problem. > > How can I fix this behavior so the legitimate mail with attachments from > the users gets through > > - or - > > ...at least get the reason why it is discarded recorded in the log? > > > > OS: FreeBSD 5.4, Exim: exim-4.42-1 > > > Contents of /etc/system_filter.exim file: > > ># Exim filter >## Version: 0.17 ># $Id: system_filter.exim,v 1.11 2001/09/19 11:27:56 nigel Exp $ > >## Exim system filter to refuse potentially harmful payloads in >## mail messages >## (c) 2000-2001 Nigel Metheringham <[EMAIL PROTECTED]> >## >## This program is free software; you can redistribute it and/or modify >## it under the terms of the GNU General Public License as published by >## the Free Software Foundation; either version 2 of the License, or >## (at your option) any later version. >## >## This program is distributed in the hope that it will be useful, >## but WITHOUT ANY WARRANTY; without even the implied warranty of >## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >## GNU General Public License for more details. >## >## You should have received a copy of the GNU General Public License >## along with this program; if not, write to the Free Software >## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA > 02111-1307 USA >## -A copy of the GNU General Public License is distributed with exim > itself > >## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >## If you haven't worked with exim filters before, read >## the install notes at the end of this file. >## The install notes are not a replacement for the exim documentation >## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > >## ----------------------------------------------------------------------- ># Only run any of this stuff on the first pass through the ># filter - this is an optomisation for messages that get ># queued and have several delivery attempts ># ># we express this in reverse so we can just bail out ># on inappropriate messages ># > if not first_delivery > then > finish > endif > >## ----------------------------------------------------------------------- ># Check for MS buffer overruns as per BUGTRAQ. ># > http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid > %3D61 > ># This could happen in error messages, hence its placing ># here... ># We substract the first n characters of the date header ># and test if its the same as the date header... which ># is a lousy way of checking if the date is longer than ># n chars long > if ${length_80:$header_date:} is not $header_date: > then > fail text "This message has been rejected because it has\n\ > an overlength date field which can be used\n\ > to subvert Microsoft mail programs\n\ > The following URL has further information\n\ > > http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid > %3D61" > > seen finish > endif > >## ----------------------------------------------------------------------- ># These messages are now being sent with a <> envelope sender, but ># blocking all error messages that pattern match prevents ># bounces getting back.... so we fudge it somewhat and check for known ># header signatures. Other bounces are allowed through. > if $header_from: contains "@sexyfun.net" > then > fail text "This message has been rejected since it has\n\ > the signature of a known virus in the header." > seen finish > endif > if error_message and $header_from: contains "Mailer-Daemon@" > then > # looks like a real error message - just ignore it > finish > endif > if $header_subject contains "Prize" > then > logfile /var/log/_spam.log > logwrite "Prize $message_id / $sender_address_domain" > seen finish > endif > if $header_subject contains "Price" > then > logfile /var/log/_spam.log > logwrite "Price $message_id / $sender_address_domain" > seen finish > endif > > if $header_subject contains "prize" > then > logfile /var/log/_spam.log > logwrite "Prize $message_id / $sender_address_domain" > seen finish > endif > if $header_subject contains "price" > then > logfile /var/log/_spam.log > logwrite "Price $message_id / $sender_address_domain" > seen finish > endif > > if $header_from: contains "@fbi.gov" > then > fail text "Wiadomosc odrzucona." > seen finish > endif > > >## ----------------------------------------------------------------------- ># Look for single part MIME messages with suspicious name extensions ># Check Content-Type header using quoted filename > [content_type_quoted_fn_match] > if $header_content-type: matches > "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp > |hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[s > e]|ws[fhc])\")" > > then > fail text "This message has been rejected because it has\n\ > potentially executable content $1\n\ > This form of attachment has been used by\n\ > recent viruses or other malware.\n\ > If you meant to send this file then please\n\ > package it up as a zip file and resend it." > seen finish > endif ># same again using unquoted filename [content_type_unquoted_fn_match] > if $header_content-type: matches > "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|h > ta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se] > |ws[fhc]))" > > then > fail text "This message has been rejected because it has\n\ > potentially executable content $1\n\ > This form of attachment has been used by\n\ > recent viruses or other malware.\n\ > If you meant to send this file then please\n\ > package it up as a zip file and resend it." > seen finish > endif > > >## ----------------------------------------------------------------------- ># Attempt to catch embedded VBS attachments ># in emails. These were used as the basis for ># the ILOVEYOU virus and its variants - many many varients ># Quoted filename - [body_quoted_fn_match] > if $message_body matches > "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)a > ttachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))( > \"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp| > jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\ > \\\s;]" > > then > fail text "This message has been rejected because it has\n\ > a potentially executable attachment $1\n\ > This form of attachment has been used by\n\ > recent viruses or other malware.\n\ > If you meant to send this file then please\n\ > package it up as a zip file and resend it." > seen finish > endif ># same again using unquoted filename [body_unquoted_fn_match] > if $message_body matches > "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)a > ttachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))( > \\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|hlp|hta|in[fs]|isp|js > e?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s > ;]" > > then > fail text "This message has been rejected because it has\n\ > a potentially executable attachment $1\n\ > This form of attachment has been used by\n\ > recent viruses or other malware.\n\ > If you meant to send this file then please\n\ > package it up as a zip file and resend it." > seen finish > endif >## ----------------------------------------------------------------------- > > if $header_subject contains "Creator Duplicate" > then > deliver [EMAIL PROTECTED] > deliver [EMAIL PROTECTED] > deliver $header_to: > endif > > if $header_subject contains "rice" > then > unseen finish > endif > > if $header_subject contains "rize" > then > unseen finish > endif > > if $header_subject contains "*****SPAM*****" > then > logfile /var/log/_spam.log > logwrite "+ Spamik jak ta lala z ID: $message_id, o wiele mowiacym > tytule: $header_subject wyslany przez: $sender_address_domain / A FUJ!, > wstydzcie sie!" > unseen finish > endif > >#### Version history ># ># 0.01 5 May 2000 ># Initial release ># 0.02 8 May 2000 ># Widened list of content-types accepted, added WSF extension ># 0.03 8 May 2000 ># Embedded the install notes in for those that don't do manuals ># 0.04 9 May 2000 ># Check global content-type header. Efficiency mods to REs ># 0.05 9 May 2000 ># More minor efficiency mods, doc changes ># 0.06 20 June 2000 ># Added extension handling - thx to Douglas Gray Stephens & Jeff > Carnahan ># 0.07 19 July 2000 ># Latest MS Outhouse bug catching ># 0.08 19 July 2000 ># Changed trigger length to 80 chars, fixed some spelling ># 0.09 29 September 2000 ># More extensions... its getting so we should just allow 2 or 3 > through ># 0.10 18 January 2001 ># Removed exclusion for error messages - this is a little nasty ># since it has other side effects, hence we do still exclude ># on unix like error messages ># 0.11 20 March, 2001 ># Added CMD extension, tidied docs slightly, added RCS tag ># ** Missed changing version number at top of file :-( ># 0.12 10 May, 2001 ># Added HTA extension ># 0.13 22 May, 2001 ># Reformatted regexps and code to build them so that they are ># shorter than the limits on pre exim 3.20 filters. This will ># make them significantly less efficient, but I am getting so ># many queries about this that requiring 3.2x appears unsupportable. ># 0.14 15 August,2001 ># Added .lnk extension - most requested item :-) ># Reformatted everything so its now built from a set of short ># library files, cutting down on manual duplication. ># Changed \w in filename detection to . - dodges locale problems ># Explicit application of GPL after queries on license status ># 0.15 17 August, 2001 ># Changed the . in filename detect to \S (stops it going mad) ># 0.16 19 September, 2001 ># Pile of new extensions including the eml in current use ># 0.17 19 September, 2001 ># Syntax fix ># >#### Install Notes ># ># Exim filters run the exim filter language - a very primitive ># scripting language - in place of a user .forward file, or on ># a per system basis (on all messages passing through). ># The filtering capability is documented in the main set of manuals ># a copy of which can be found on the exim web site ># http://www.exim.org/ ># ># To install, copy the filter file (with appropriate permissions) ># to /etc/exim/system_filter.exim and add to your exim config file ># [location is installation depedant - typicaly /etc/exim/config ] ># in the first section the line:- ># message_filter = /etc/exim/system_filter.exim ># message_body_visible = 5000 ># ># You may also want to set the message_filter_user & message_filter_group ># options, but they default to the standard exim user and so can ># be left untouched. The other message_filter_* options are only ># needed if you modify this to do other functions such as deliveries. ># The main exim documentation is quite thorough and so I see no need ># to expand it here... ># ># Any message that matches the filter will then be bounced. ># If you wish you can change the error message by editing it ># in the section above - however be careful you don't break it. ># ># After install exim should be restarted - a kill -HUP to the ># daemon will do this. ># >#### LIMITATIONS ># ># This filter tries to parse MIME with a regexp... that doesn't ># work too well. It will also only see the amount of the body ># specified in message_body_visible ># >#### BASIS ># ># The regexp that is used to pickup MIME/uuencoded body parts with ># quoted filenames is replicated below (in perl format). ># You need to remember that exim converts newlines to spaces in ># the message_body variable. ># ># (?:Content- # start of > content header ># (?:Type: (?>\s*) # rest of c/t > header ># [\w-]+/[\w-]+ # content-type > (any) ># | Disposition: (?>\s*) # > content-disposition hdr ># attachment) # > content-disposition ># ;(?>\s*) # ; space or > newline ># (?:file)?name= # filename=/name= ># | begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode ># (\"[^\"]+\. # quoted filename. ># (?:ad[ep] # list of extns ># | ba[st] ># | chm ># | cmd ># | com ># | cpl ># | crt ># | eml ># | exe ># | hlp ># | hta ># | in[fs] ># | isp ># | jse? ># | lnk ># | md[be] ># | ms[cipt] ># | pcd ># | pif ># | reg ># | scr ># | sct ># | shs ># | url ># | vb[se] ># | ws[fhc]) ># \" # end quote ># ) # end of > filename capture ># [\s;] # trailing > ;/space/newline > ># ># >### [End] > > > > > ========================================================= > > -- > Dział Techniczny > Marcin Król > > Domeny, Hosting, Kolokacja, Certyfikaty SSL, Monitoring serwerów ... > ------------------------------------------------------------------ > DOMENY.PL sp. z o.o. ul. Wielicka 50, 30-552 Kraków, Poland > tel. +48(12)296 3663, info: +48 501 DOMENY > fax. +48(12)296 3664, +48(22)3 987 365 > e-mail: [EMAIL PROTECTED], www: http://www.Domeny.pl > ------------------------------------------------------------------ > Komunikator online/ Live Chat: > http://live2.domeny.pl/request_email.php?l=phplive&x=1&deptid=2 -- Ian Eiloart IT Services, University of Sussex -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
