Re: Spam-Mails stoppen???
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am Montag, 22. September 2003 19:32 schrieb Martin Hennes:
> Hallo,
>
> kennt jemand eine Regel fuer Mailfilter mit der man Mails die ein *.exe
> bzw ein *.dll enthalten killen kann? Vielleicht bin ich blind, habe
> in den Docs nichts gefunden und auch google hat mich nicht
> weitergebracht. Als Workaround filtere ich z.Zt. auf die Filegroesse.
Eine reichlich ungehobelte Methode.
Eleganter ist hier doch die Filter Funktion vom exim (Standard MTA)
zu verwenden, hier sind noch ein paar andere Traps mit drin, ausser
nur .exe/vba und Konsorten killen... z.B. so machen:
# Exim filter
## Version: 0.15
# $Id: system_filter.exim,v 1.9 2001/08/17 12:47:26 nigel Exp $
## Exim system filter to refuse potentially harmful payloads in
## mail messages
## (c) 2000-2001 Nigel Metheringham <nigel@exim.org>
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
## -A copy of the GNU General Public License is distributed with exim itself
## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
## If you haven't worked with exim filters before, read
## the install notes at the end of this file.
## The install notes are not a replacement for the exim documentation
## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
## -----------------------------------------------------------------------
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have several delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
#
if not first_delivery
then
finish
endif
## -----------------------------------------------------------------------
# Check for MS buffer overruns as per BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
# We substract the first n characters of the date header
# and test if its the same as the date header... which
# is a lousy way of checking if the date is longer than
# n chars long
if ${length_80:$header_date:} is not $header_date:
then
fail text "This message has been rejected because it has\n\
an overlength date field which can be used\n\
to subvert Microsoft mail programs\n\
The following URL has further information\n\
http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61";
save /var/spool/exim/filter/gotcha
seen finish
endif
## -----------------------------------------------------------------------
# These messages are now being sent with a <> envelope sender, but
# blocking all error messages that pattern match prevents
# bounces getting back.... so we fudge it somewhat and check for known
# header signatures. Other bounces are allowed through.
if $header_from: contains "@sexyfun.net"
then
fail text "This message has been rejected since it has\n\
the signature of a known virus in the header."
save /var/spool/exim/filter/gotcha
seen finish
endif
if error_message and $header_from: contains "Mailer-Daemon@"
then
# looks like a real error message - just ignore it
finish
endif
## -----------------------------------------------------------------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif|eml)\")"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
save /var/spool/exim/filter/gotcha
seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif|eml))"
then
fail text "This message has been rejected because it has\n\
potentially executable content $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
save /var/spool/exim/filter/gotcha
seen finish
endif
## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif|eml)\")[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
save /var/spool/exim/filter/gotcha
seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk|pif|eml))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it."
save /var/spool/exim/filter/gotcha
seen finish
endif
# spam filtern für myuser
if $header_received: contains "for myuser@domain.de" and
$header_x-spam-flag: contains "YES"
then
deliver myuser-spam@domain.de
seen finish
endif
if $header_received: contains "for juergen.sauer@domain.de" and
$header_x-spam-flag: contains "YES"
then
deliver myuser-spam@domain.de
seen finish
endif
# myuser's Mails local und nach Schwanewede zustellen
#if $header_received: contains "for myuser@domain.de"
#then
# deliver myuser-local@domain.de
# #deliver myuser@s.domain.de
# seen finish
#endif
#
#if $header_received: contains "for juergen.sauer@domain.de"
#then
# deliver myuser-local@domain.de
# deliver myuser@s.domain.de
# seen finish
#endif
## -----------------------------------------------------------------------
Viel Spaß
mfG
Jürgen
automatiX Linux Support Crew
- --
Jürgen Sauer - AutomatiX GmbH, +49-4209-4699, jojo@automatix.de **
** Das Linux Systemhaus - Service - Support - Server - Lösungen **
** http://www.automatix.de ICQ: #344389676 **
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/cqDvW7UKI9EqarERAng5AKC3u6S3vf0FM8BOkVumPNhQriia2wCfRloI
jfPJe4CZQf8BTtyOwMQtrJs=
=bpEj
-----END PGP SIGNATURE-----
Reply to: