очень большое спасибо, только вчера занимался с тем же самым, плюс еще
нашел ваши старые записи об оповещении по мылу о таких письмах
P7ZIP = /usr/local/bin/7z
WINBIN=ace|ade|adp|bas|bat|btm|chm|cmd|com|cpl|dat|dll|exe|flv|gadget|gz|hta|ins|iso|isp|jar|js|jse|jsp|lib|lnk|mde|msc|msp|mst|msi|ocx|pif|prf|reg|scr|sct|shb|sys|tar|uue|vb|vbe|vxd|vbs|wsc|wsf|wsh|xz|z
COMPREXT=7z|ace|arj|bz2|gz|iso|rar|tar|uue|xz|z|zip
check_rfc2047_length = false
hostlist host_pass_file=192.168.0.252
deny message = "expansion of the attached file [ $mime_filename ] is not
allowed to send!). Please tell me"
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type,
recipients=$recipients
!hosts=+host_pass_file
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))?$\N}}\
}}
continue = ${if eq{${run{/bin/sh -c "\N{\N \
echo Subject: \
'MailScan: Mail delivery failed';\
echo 'Content-Type: text/plain; charset=koi8-r';\
echo Content-Transfer-Encoding: 8bit;\
echo;\
echo '${sg{\
Письмо от $sender_address для $recipients\n\
с темой \n\
$h_subject \n\
sender_host_address=$sender_host_address \n\
размером ${eval:$message_size/1024} килобайт\n\
не доставлено, потому что имеет запрещенное вложение\n\
filename >> $mime_filename <<\
}{'}{}}';\
\N}\N \
|/usr/local/sbin/exim -f mailnull r...@arhshick.ru
${sg{${filter{<,r...@arhshick.ru}{!match{$item}{\N(^-|[^\w.=+%!@-])\N}}}}{,}{
}};\
"}}}{}{1}{1}}
deny message = "A attachment contains a Windows-executable file - letter
mail is stopped."
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
# condition = ${if <{$message_size}{1500K}}
!hosts=+host_pass_file
decode = default
log_message = forbidden binary in attachment:
filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}
continue = ${if eq{${run{/bin/sh -c "\N{\N \
echo Subject: \
'MailScan: Mail delivery failed';\
echo 'Content-Type: text/plain; charset=koi8-r';\
echo Content-Transfer-Encoding: 8bit;\
echo;\
echo '${sg{Письмо от $sender_address для $recipients\n\
с темой \n\
$h_subject \n\
sender_host_address=$sender_host_address \n\
размером ${eval:$message_size/1024} килобайт\n\
не доставлено, потому что имеет запрещенное вложение в архиве\n\
filename >> $mime_filename <<\
}{'}{}}'; \N}\N\
|/usr/local/sbin/exim -f mailnull r...@arhshick.ru
${sg{${filter{<,r...@arhshick.ru}{!match{$item}{\N(^-|[^\w.=+%!@-])\N}}}}{,}{
}};\
/usr/local/bin/7z l $mime_decoded_filename | /usr/bin/mail -s
'MailScan: Attachment for $recipients' root \
"}}}{}{1}{1}}
accept
21.12.2016 21:13, l...@lena.kiev.ua пишет:
Этот (возможно новый) вариант трояна ловится изменением в
одной строчке первого абзаца (а не второго где decode),
после изменения:
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))?$\N}}\
Решение полностью:
P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious:
exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))?$\N}}\
}}
deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}
accept
_______________________________________________
Exim-users mailing list
Exim-users@mailground.net
http://mailground.net/mailman/listinfo/exim-users
--
С уважением,
Грибанов Дмитрий Геннадьевич
зам.начальника
отдела информационных технологий ГК "ШИК"
163045, Архангельская область, Приморский район,
Талажское шоссе, д.22, корп.1, каб.209
тел. (8182) 42-21-98, внутр.2071
моб. +7921-488-30-98
e@mail: gribano...@arhshick.ru
e@mail: o...@arhshick.ru
_______________________________________________
Exim-users mailing list
Exim-users@mailground.net
http://mailground.net/mailman/listinfo/exim-users
