E-mail with attached .mdb file gets blocked

k1l0b1t

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
494
Location
Belgium
I noticed, when my grandfather wanted to send me some old .mdb file, that mail got rejected by the system filter. Somehow I don't know why it gets rejected, no sieve filter, nor spam filter is set to reject, but to move to the spam folder.

Code: 
2021-01-26 15:29:52 1l4PLs-0006xy-Ev <= [email protected] [email protected] [sender.mailserver.ipv4] P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=2139212 [email protected] T="subject" from <[email protected]> for [email protected]
2021-01-26 15:29:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1l4PLs-0006xy-Ev
2021-01-26 15:29:52 1l4PLs-0006xy-Ev => discarded (system filter)
2021-01-26 15:29:52 1l4PLs-0006xy-Ev Completed

any ideas on how to fix this? thanks.
 
This help?

discarded (system filter)

Hello, On one of our servers our mail server is blocking some valid emails and in the exim log we see the following: 2017-12-15 14:44:57 1ePqIK-0007YL-Ox discarded (system filter) 2017-12-15 14:44:57 1ePqIK-0007YL-Ox Completed How can we further analyze why this is happening? Which filter is...
forum.directadmin.com forum.directadmin.com
 
bdacus01 said:
This help?

discarded (system filter)

Hello, On one of our servers our mail server is blocking some valid emails and in the exim log we see the following: 2017-12-15 14:44:57 1ePqIK-0007YL-Ox discarded (system filter) 2017-12-15 14:44:57 1ePqIK-0007YL-Ox Completed How can we further analyze why this is happening? Which filter is...
forum.directadmin.com forum.directadmin.com
Click to expand...
yes, except, it's not a permanent solution.

I do want weird extentions to be "catched" in fact, but just put in the spamfolder. any idea on how to do that?
 
maybe this
cat /etc/exim.easy_spam_fighter/check_mime.conf

Easy Spam Fighter 1.11

Hello, I've released Easy Spam Fighter 1.11. This release has added support for default file extension blocking, and has the ability to extract and scan a zip file for any malicious extensions. Main new file is here: http://files.directadmin.com/services/easy_spam_fighter/1.11/check_mime.conf...
forum.directadmin.com forum.directadmin.com
 
ah, gotta check ESF out then, don't think I installed that on my box

any tips on how to install that?
enable it, and then build both exim and exim.conf? or something else too?
 
Choose rspamd or old spamassassin. Remove one or the other from cmd

Code: 
cd /usr/local/directadmin/custombuild
./build set_fastest
./build clean
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set blockcracking yes
./build set easy_spam_fighter yes
#./build set spamd spamassassin
./build set spamd rspamd
./build set exim yes
./build exim
./build set dovecot_conf yes
./build dovecot_conf
#./build spamassassin
./build rspamd
./build update
./build exim_conf
 
bdacus01 said:
Choose rspamd or old spamassassin. Remove one or the other from cmd

Code: 
cd /usr/local/directadmin/custombuild
./build set_fastest
./build clean
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set blockcracking yes
./build set easy_spam_fighter yes
#./build set spamd spamassassin
./build set spamd rspamd
./build set exim yes
./build exim
./build set dovecot_conf yes
./build dovecot_conf
#./build spamassassin
./build rspamd
./build update
./build exim_conf
Click to expand...
so, I've done that (for spamassasin)

it still gets blocked, instead of put to the spamfilters,
Here's the contents of the check_mime.conf file though:

Code: 
warn decode = default

deny message = Blacklisted file extension detected ($mime_filename)
     condition = ${if !eq{$acl_c_esf_skip}{1}}
     condition = ${if match \
                  {${lc:$mime_filename}} \
                  {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|\.vbs|\.cpl|\.jar)$\N} \
                  {1}{0}}

deny
    message = zip file contains an attachment with a dangerous payload ($mime_filename).
    condition = ${if !eq{$acl_c_esf_skip}{1}}
    condition = ${if match \
                  {${lc:$mime_filename}} \
                  {\N(\.zip)$\N} \
                  {1}{0}}
    condition = ${run{/bin/sh -c '/etc/exim.easy_spam_fighter/exim_check_attachment.sh zip $message_exim_id $mime_decoded_filename'}{0}{1}}
    log_message = exim_check_attachment.sh: '$mime_filename' contains a dangerous payload.

I think it's in the default system filter, where it gets blocked (as disabeling that yesterday, allowed a test-mail with the same attachment to go trough)

So: is there any way I can make it not reject, but instead be just marked as spam?


Code: 
if $header_content-type: matches "(?:file)?name=\"([^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc]))\""
then
  seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc])\")([\\\\s;]|\\$)"
then
  seen finish
endif

This is the snippet in the /etc/system_filter.exim file that seems to cause it. I assume removing the finish part would do the trick? I will wait for a reply, as I'd rather hear some other possible ideas on how to do it.

I did find this though: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-systemwide_message_filtering.html, heading #6 goes about adding headers to it, would replacing the "seen finish" part with such a part work?

Also: I assume If I need to change that system filter, I have to put it in a custom/ directory, which command builds that system_filter.exim file? ./build exim or ./build exim_conf (it's in the /usr/local/directadmin/data/templates/ folder)
 
Last edited:
You must log in or register to reply here.
Back
Top