* To: debian-kr-user@lists.debian.or.kr
* Subject: À¯¿ëÇÑ EXIM filter
* From: Seongtae Yoo <alloying@nownuri.net>
* Date: Thu, 13 Sep 2001 20:16:47 +0900
* List-Id: Debian Çѱ¹ »ç¿ëÀÚ ¸ÞÀϸµ ¸®½ºÆ® <debian-kr-user.lists.debian.or.kr>
* References: <001c01c13c02$9280cbc0$1654f2d3@lopa.co.kr>
* Sender: debian-kr-user-admin@lists.debian.or.kr

÷ºÎ ÆÄÀÏ·Î ½É½ÉÂú°Ô µé¾î¿À´Â ¹ÙÀÌ·¯½º ¸ÞÀÏÀ» ¸·À» ±æÀÌ ¾ø³ª
°í¹ÎÇÏ´Ù°í exim ¹®¼­ÀÇ filter¸¦ ÀÐ°í ³ª¸§´ë·Î filteringÀ»
ÇÏ¿´À¸³ª ½Ç·ÂÀÇ ¿ªºÎÁ·À» ´À³¢°í ÀÎÅÍ³Ý »ó¿¡ ÈξÀ Á¤±³ÇÑ
filter°¡ ÀÖÀ» °ÍÀ̶ó »ý°¢ÇÏ°í exim ¸ÞÀϸµ ¸®½ºÆ®¸¦ µÚÁ³´õ´Ï
¾Æ´Ï³ª ´Ù¸¦±î ¸ÚÁø filter°¡ Àֳ׿ä.

÷ºÎ ÆÄÀÏ·Î º¸³À´Ï´Ù. ÆÄÀÏÀÇ ³¡¿¡ °£´ÜÇÑ ¼³Ä¡ ¹æ¹ýµµ
ÀûÇô ÀÖ½À´Ï´Ù. ¼³Ä¡¶ö °Íµµ ¾ø±ä ÇÏÁö¸¸¼­µµ...


¾Æ½¬¿î Á¡Àº µ¥ºñ¾ÈÀ» ´ëÃæ ±ò¾Æ¼­ ±×·±Áö ÇÑ±Û ÇÊÅ͸µÀÌ ¾ÈµÈ´Ù´Â °Í,
¸Þ¼¼Áö ³»¿ëÀÌ ¸Å¿ì ¸¹Àº °æ¿ì ÷ºÎ ÆÄÀÏÀ» Á¦´ë·Î °Ë»öÇÒ ¼ö
¾ø´Ù´Â Á¡ÀÔ´Ï´Ù. ÇÏ·ç¿¡ ÁÖ°í ¹Þ´Â ¸ÞÀÏÀÌ  ¹éÅë¿¡ Áö³ªÁö
¾Ê´Â °æ¿ì, message_body_visible º¯¼ö¸¦ 100000 Á¤µµ·Î ÇØ ³õ¾Æ¸é
À¢¸¸Å­ ¸Þ¼¼Áö ³»¿ëÀÌ ¸¹¾Æµµ ÷ºÎ ÆÄÀÏ·Î ºÙ¾î¿À´Â ¹ÙÀÌ·¯½º´Â
°Ë»öÇÒ ¼ö ÀÖÀ» °ÍÀÌ¶ó ¿©°ÜÁý´Ï´Ù.

# Exim filter
## Version: 0.15
#	$Id: system_filter.exim,v 1.9 2001/08/17 12:47:26 nigel Exp $

## Exim system filter to refuse potentially harmful payloads in
## mail messages
## (c) 2000-2001 Nigel Metheringham <nigel@exim.org>
##
##     This program is free software; you can redistribute it and/or modify
##    it under the terms of the GNU General Public License as published by
##    the Free Software Foundation; either version 2 of the License, or
##    (at your option) any later version.
##
##    This program is distributed in the hope that it will be useful,
##    but WITHOUT ANY WARRANTY; without even the implied warranty of
##    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
##    GNU General Public License for more details.
##
##    You should have received a copy of the GNU General Public License
##    along with this program; if not, write to the Free Software
##    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
## -A copy of the GNU General Public License is distributed with exim itself

## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
## If you haven't worked with exim filters before, read
## the install notes at the end of this file.
## The install notes are not a replacement for the exim documentation
## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


## -----------------------------------------------------------------------
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have several delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
#
if not first_delivery
then
  finish
endif

## -----------------------------------------------------------------------
# Check for MS buffer overruns as per BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
# We substract the first n characters of the date header
# and test if its the same as the date header... which
# is a lousy way of checking if the date is longer than
# n chars long
if ${length_80:$header_date:} is not $header_date:
then
  fail text "Your message has been rejected because it has\n \
  an overlength date field which can be used\n \
  to subvert Microsoft mail programs\n \
  The following URL has further information\n \
   http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
  seen finish
endif

## -----------------------------------------------------------------------
# These messages are now being sent with a <> envelope sender, but
# blocking all error messages that pattern match prevents
# bounces getting back.... so we fudge it somewhat and check for known
# header signatures.  Other bounces are allowed through.
if $header_from: contains "@sexyfun.net"
then
  fail text "Your message has been rejected since it has\n the signature of a known virus in the header."
  seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
then
  # looks like a real error message - just ignore it
  finish
endif

## -----------------------------------------------------------------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif)\")"
then
  fail text "Your message has been rejected because it has\n \
  potentially executable content $1\n \
  This form of attachment has been used by\n \
  recent viruses or other malware.\n \
  If you meant to send this file then please\n \
  package it up as a zip file and resend it."
  seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif))"
then
  fail text "Your message has been rejected because it has\n \
  potentially executable content $1\n \
  This form of attachment has been used by\n \
  recent viruses or other malware.\n \
  If you meant to send this file then please\n \
  package it up as a zip file and resend it."
  seen finish
endif


## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for 
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif)\")[\\\\s;]"
then
  fail text "Your message has been rejected because it has\n \
  potentially executable content $1\n \
  This form of attachment has been used by\n \
  recent viruses or other malware.\n \
  If you meant to send this file then please\n \
  package it up as a zip file and resend it."
  seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif))[\\\\s;]"
then
  fail text "Your message has been rejected because it has\n \
  potentially executable content $1\n \
  This form of attachment has been used by\n \
  recent viruses or other malware.\n \
  If you meant to send this file then please\n \
  package it up as a zip file and resend it."
  seen finish
endif
## -----------------------------------------------------------------------


#### Version history
#
# 0.01 5 May 2000
#	Initial release
# 0.02 8 May 2000
#	Widened list of content-types accepted, added WSF extension
# 0.03 8 May 2000
#	Embedded the install notes in for those that don't do manuals
# 0.04 9 May 2000
#	Check global content-type header.  Efficiency mods to REs
# 0.05 9 May 2000
#	More minor efficiency mods, doc changes
# 0.06 20 June 2000
#	Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
# 0.07 19 July 2000
#	Latest MS Outhouse bug catching
# 0.08 19 July 2000
#	Changed trigger length to 80 chars, fixed some spelling
# 0.09 29 September 2000
#	More extensions... its getting so we should just allow 2 or 3 through
# 0.10 18 January 2001
#	Removed exclusion for error messages - this is a little nasty
#	since it has other side effects, hence we do still exclude
#	on unix like error messages
# 0.11 20 March, 2001
#	Added CMD extension, tidied docs slightly, added RCS tag
#	** Missed changing version number at top of file :-(
# 0.12 10 May, 2001
#	Added HTA extension
# 0.13 22 May, 2001
#	Reformatted regexps and code to build them so that they are
#	shorter than the limits on pre exim 3.20 filters.  This will
#	make them significantly less efficient, but I am getting so
#	many queries about this that requiring 3.2x appears unsupportable.
# 0.14 15 August,2001
#	Added .lnk extension - most requested item :-)
#	Reformatted everything so its now built from a set of short
#	library files, cutting down on manual duplication.
#	Changed \w in filename detection to . - dodges locale problems
#	Explicit application of GPL after queries on license status
# 0.15 17 August, 2001
#	Chnaged the . in filename detect to \S (stops it going mad)
#
#### Install Notes
#
# Exim filters run the exim filter language - a very primitive
# scripting language - in place of a user .forward file, or on
# a per system basis (on all messages passing through).
# The filtering capability is documented in the main set of manuals
# a copy of which can be found on the exim web site
#	http://www.exim.org/
#
# To install, copy the filter file (with appropriate permissions)
# to /etc/exim/system_filter.exim and add to your exim config file
# [location is installation depedant - typicaly /etc/exim/config ]
# in the first section the line:-
#	message_filter = /etc/exim/system_filter.exim
#	message_body_visible = 5000
#
# You may also want to set the message_filter_user & message_filter_group
# options, but they default to the standard exim user and so can
# be left untouched.  The other message_filter_* options are only
# needed if you modify this to do other functions such as deliveries.
# The main exim documentation is quite thorough and so I see no need
# to expand it here...
#
# Any message that matches the filter will then be bounced.
# If you wish you can change the error message by editing it
# in the section above - however be careful you don't break it.
#
# After install exim should be restarted - a kill -HUP to the
# daemon will do this.
#
#### LIMITATIONS
#
# This filter tries to parse MIME with a regexp... that doesn't
# work too well.  It will also only see the amount of the body
# specified in message_body_visible
#
#### BASIS
#
# The regexp that is used to pickup MIME/uuencoded body parts with
# quoted filenames is replicated below (in perl format).  
# You need to remember that exim converts newlines to spaces in
# the message_body variable.
#
#	  (?:Content-					# start of content header
#	  (?:Type: (?>\s*)				# rest of c/t header
#	    [\w-]+/[\w-]+				# content-type (any)
#	    |Disposition: (?>\s*)			# content-disposition hdr
#	    attachment)					# content-disposition
#	  ;(?>\s*)					# ; space or newline
#	  (?:file)?name=				# filename=/name= 
#	  |begin (?>\s+) [0-7]{3,4} (?>\s+)) 		# begin octal-mode
#	  (\"[^\"]+\.					# quoted filename.
#		(?:vb[se]				# list of extns
#		|ws[fh]
#		|jse?
#		|exe
#		|com
#		|cmd
#		|shs
#		|hta
#		|bat
#		|scr
#		|lnk
#		|pif)
#	  \"						# end quote
#	  )						# end of filename capture
#	  [\s;]						# trailing ;/space/newline

#
#
### [End]