Added system_filter.exim to be installed into /etc/exim, you can call this

from your configure file and it'll stop those nasty windows viruses as well
as preventing the header length exploits common to M$ MUA's

2 files changed, 226 insertions, 0 deletions

diff --git a/net-mail/exim/exim-3.32.ebuild b/net-mail/exim/exim-3.32.ebuild
index 775caf484cd1..b833193b6961 100644
--- a/net-mail/exim/exim-3.32.ebuild
+++ b/net-mail/exim/exim-3.32.ebuild
@@ -152,8 +152,14 @@ src_install () {
     doins ${FILESDIR}/exim
 
     dodoc ${S}/doc/*
+# INSTALL a pam.d file for SMTP AUTH that works with gentoo's pam
 	 insinto /etc/pam.d
 	 doins ${FILESDIR}/pam.d-exim
+
+# A nice filter for exim to protect your windows clients.
+	insinto /etc/exim
+	doins ${FILESDIR}/system_filter.exim
+	einfo "Read the bottom of /etc/exim/system_filter.exim for usage"
 }
 
 pkg_config() {
diff --git a/net-mail/exim/files/system_filter.exim b/net-mail/exim/files/system_filter.exim
new file mode 100644
index 000000000000..9a916b68fddb
--- /dev/null
+++ b/net-mail/exim/files/system_filter.exim
@@ -0,0 +1,220 @@
+# Exim filter
+## Version: 0.13
+#	$Id: system_filter.exim,v 1.1 2001/08/14 20:17:21 lamer Exp $
+
+## If you haven't worked with exim filters before, read
+## the install notes at the end of this file.
+
+#
+# Only run any of this stuff on the first pass through the
+# filter - this is an optomisation for messages that get
+# queued and have several delivery attempts
+#
+# we express this in reverse so we can just bail out
+# on inappropriate messages
+#
+if not first_delivery
+then
+  finish
+endif
+
+# Check for MS buffer overruns as per latest BUGTRAQ.
+# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
+# This could happen in error messages, hence its placing
+# here...
+# We substract the first n characters of the date header
+# and test if its the same as the date header... which
+# is a lousy way of checking if the date is longer than
+# n chars long
+if ${length_80:$header_date:} is not $header_date:
+then
+  fail text "This message has been rejected because it has\n\
+	     \tan overlength date field which can be used\n\
+	     \tto subvert Microsoft mail programs\n\
+             \tThe following URL has further information\n\
+	     \thttp://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
+  seen finish
+endif
+
+# This is a nasty compromise.
+# This crud is now being sent with a <> envelope sender, but
+# blocking all error messages that pattern match prevents
+# bounces getting back.... so we fudge it somewhat
+if $header_from: contains "@sexyfun.net"
+then
+  fail text "This message has been rejected since it has\n\
+		\tthe signature of a known virus in the header."
+  seen finish
+endif
+if error_message and $header_from: contains "Mailer-Daemon@"
+then
+  # looks like a real error message - just ignore it
+  finish
+endif
+
+# Look for single part MIME messages with suspicious name extensions
+# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
+if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")"
+then
+  fail text "This message has been rejected because it has\n\
+	     \tpotentially executable content $1\n\
+	     \tThis form of attachment has been used by\n\
+             \trecent viruses or other malware.\n\
+	     \tIf you meant to send this file then please\n\
+	     \tpackage it up as a zip file and resend it."
+  seen finish
+endif
+# same again using unquoted filename [content_type_unquoted_fn_match]
+if $header_content-type: matches "(?:file)?name=([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))"
+then
+  fail text "This message has been rejected because it has\n\
+	     \tpotentially executable content $1\n\
+	     \tThis form of attachment has been used by\n\
+             \trecent viruses or other malware.\n\
+	     \tIf you meant to send this file then please\n\
+	     \tpackage it up as a zip file and resend it."
+  seen finish
+endif
+
+
+# Attempt to catch embedded VBS attachments
+# in emails.   These were used as the basis for 
+# the ILOVEYOU virus and its variants
+# Quoted filename - [body_quoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif)\")[\\\\s;]"
+then
+  fail text "This message has been rejected because it has\n\
+	     \ta potentially executable attachment $1\n\
+	     \tThis form of attachment has been used by\n\
+             \trecent viruses or other malware.\n\
+	     \tIf you meant to send this file then please\n\
+	     \tpackage it up as a zip file and resend it."
+  seen finish
+endif
+# same again using unquoted filename [body_unquoted_fn_match]
+if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))([\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|pif))[\\\\s;]"
+then
+  fail text "This message has been rejected because it has\n\
+	     \ta potentially executable attachment $1\n\
+	     \tThis form of attachment has been used by\n\
+             \trecent viruses or other malware.\n\
+	     \tIf you meant to send this file then please\n\
+	     \tpackage it up as a zip file and resend it."
+  seen finish
+endif
+
+#### Version history
+#
+# 0.01 5 May 2000
+#	Initial release
+# 0.02 8 May 2000
+#	Widened list of content-types accepted, added WSF extension
+# 0.03 8 May 2000
+#	Embedded the install notes in for those that don't do manuals
+# 0.04 9 May 2000
+#	Check global content-type header.  Efficiency mods to REs
+# 0.05 9 May 2000
+#	More minor efficiency mods, doc changes
+# 0.06 20 June 2000
+#	Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
+# 0.07 19 July 2000
+#	Latest MS Outhouse bug catching
+# 0.08 19 July 2000
+#	Changed trigger length to 80 chars, fixed some spelling
+# 0.09 29 September 2000
+#	More extensions... its getting so we should just allow 2 or 3 through
+# 0.10 18 January 2001
+#	Removed exclusion for error messages - this is a little nasty
+#	since it has other side effects, hence we do still exclude
+#	on unix like error messages
+# 0.11 20 March, 2001
+#	Added CMD extension, tidied docs slightly, added RCS tag
+#	** Missed changing version number at top of file :-(
+# 0.12 10 May, 2001
+#	Added HTA extension
+# 0.13 22 May, 2001
+#	Reformatted regexps and code to build them so that they are
+#	shorter than the limits on pre exim 3.20 filters.  This will
+#	make them significantly less efficient, but I am getting so
+#	many queries about this that requiring 3.2x appears unsupportable.
+#
+#### Install Notes
+#
+# Exim filters run the exim filter language - a very primitive
+# scripting language - in place of a user .forward file, or on
+# a per system basis (on all messages passing through).
+# The filtering capability is documented in the main set of manuals
+# a copy of which can be found on the exim web site
+#	http://www.exim.org/
+#
+# To install, copy the filter file (with appropriate permissions)
+# to /etc/exim/system_filter.exim and add to your exim config file
+# [location is installation depedant - typicaly /etc/exim/config ]
+# at the top the line:-
+#	message_filter = /etc/exim/system_filter.exim
+#	message_body_visible = 5000
+#
+# You may also want to set the message_filter_user & message_filter_group
+# options, but they default to the standard exim user and so can
+# be left untouched.  The other message_filter_* options are only
+# needed if you modify this to do other functions such as deliveries.
+# The main exim documentation is quite thorough and so I see no need
+# to expand it here...
+#
+# Any message that matches the filter will then be bounced.
+# If you wish you can change the error message by editing it
+# in the section above - however be careful you don't break it.
+#
+# After install exim should be restarted - a kill -HUP to the
+# daemon will do this.
+#
+#### LIMITATIONS
+#
+# This filter tries to parse MIME with a regexp... that doesn't
+# work too well.  It will also only see the amount of the body
+# specified in message_body_visible
+#
+#### BASIS
+#
+# The regexp that is used to pickup MIME/uuencoded parts is replicated
+# below (in perl format).  You need to remember that exim converts
+# newlines to spaces in the message_body variable.
+#
+#  (?:Content-					# start of content header
+#  (?:Type: (?>\s*)				# rest of c/t header
+#    [\w-]+/[\w-]+				# content-type (any)
+#    |Disposition: (?>\s*)			# content-disposition hdr
+#    attachment)					# content-disposition
+#  ;(?>\s*)					# ; space or newline
+#  (?:file)?name=				# filename=/name= 
+#  |begin (?>\s+) [0-7]{3,4} (?>\s+)) 		# begin octal-mode
+#  (\"[^\"]+\.					# quoted filename.
+#	(?:vb[se]				# list of extns
+#	|ws[fh]
+#	|jse?
+#	|exe
+#	|com
+#	|cmd
+#	|shs
+#	|hta
+#	|bat
+#	|scr
+#	|pif)
+#	\"					# end quote
+#  |[\w.-]+\.					# unquoted filename.ext
+#	(?:vb[se]				# list of extns
+#	|ws[fh]
+#	|jse?
+#	|exe
+#	|com
+#	|cmd
+#	|shs
+#	|hta
+#	|bat
+#	|scr
+#	|pif)
+#  )						# end of filename capture
+#  [\s;]					# trailing ;/space/newline
+#
+#
+### [End]