[SOLVED] sieve filter on pigeonhole to remove exe attached emails doesn't work
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: slackware 15.0 64bit, 14.2 64 and 32bit and arm, ubuntu and rasbian
Posts: 495
Rep:
sieve filter on pigeonhole to remove exe attached emails doesn't work
hi all, I am running slackware 14.1 32bit with dovecot and pigeonhole installed from sbopkg.
Problem: I am trying to filter emails with attachments that are exe or zip files into junk.
what has been done: I have looked at http://www.emaildiscussions.com/show...522#post238522 which suggests
Code:
header :contains "X-Attached" [".zip", ".exe"]
but it doesn't touch my test emails. Looking at the email source from thunderbird shows no X-Attached lines, so I added
to the script, but mail with zip attachments still goes into inbox. I know the rest of the script is ok as other mail is filtered ok.
does anyone have any clues how to filter by content-type in multi-mime messages.
an example message fragment that should match is:
Code:
Subject: testa1
Content-Type: multipart/mixed;
boundary="------------020304040002050407030900"
This is a multi-part message in MIME format.
--------------020304040002050407030900
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
this has a compressed file added a1
--------------020304040002050407030900
Content-Type: application/x-zip-compressed;
name="pinglog.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="pinglog.zip"
Distribution: slackware 15.0 64bit, 14.2 64 and 32bit and arm, ubuntu and rasbian
Posts: 495
Original Poster
Rep:
Unfortunately, pigeonhole does not appear to have the mime extension. I have already checked the rfc5703, as like you say, it should do the trick happily, but it is not available for pigeonhole AFAIK, which means I need some other way of doing it.
I'm happy to be corrected if I am mistaken, but looking at http://pigeonhole.dovecot.org/index.html would seem to indicate that support may arrive eventually, but is not currently available. any alternative solution would be helpful, as the spammers sending malware as zip and exe (and scr and pif) attachments aren't waiting :-)
(I have put a request for rfc5703 support on the dovecot mailing list, as it would make things much simpler if it was implimented)
you're right. the dovecot site says the extension "will be added as soon as the necessary infrastructure is available".
regarding the syntax, i think the test should be "header :mime ..." in order to match a mime header.
Quote:
any alternative solution would be helpful, as the spammers sending malware as zip and exe (and scr and pif) attachments aren't waiting :-)
use rbls and content scanners (e.g. clamav for malware).
you could use something like postfix's check_mime_headers to block / hold mail in the meantime.
Distribution: slackware 15.0 64bit, 14.2 64 and 32bit and arm, ubuntu and rasbian
Posts: 495
Original Poster
Rep:
thanks for the suggestions berhanie. I will be attempting to use something like clamav or spamassasin eventually.
Until the mime support gets added, the following catches zip and scr attachements
Quote:
body :raw :contains ["application/x-zip-compressed","application/x-silverlight"]
however, catching exe and pif attachments is harder.
I have tried
Quote:
body :raw :regex ["filename=*.exe","filename=*.pif","filename=*.scr","filename=*.zip"]
and alternatively
Quote:
body :raw :regex ["filename\=*.exe","filename\=*.pif","filename\=*.scr","filename\=*.zip"]
Hi, timsoft. rfc 5173 mentions a :content keyword which is designed to match MIME content-type. It may better to use that than :raw. The .exe may fall under application/octet-stream, but so would other types of files. Regarding the regexp, what you were after was "filename=.*\.exe".
Distribution: slackware 15.0 64bit, 14.2 64 and 32bit and arm, ubuntu and rasbian
Posts: 495
Original Poster
Rep:
many thanks. I have looked at :content but, like you say, it doesn't help with exe ( or with pif) because there are so many file extensions that use the same content-type
for others looking at this thread,
body :raw :regex ["filename=.*\.exe","filename=.*\.pif","filename=.*\.scr","filename=.*\.zip"]
works (for those using sieve without a :mime implementation)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.