LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-29-2014, 04:09 PM   #1
timsoft
Member
 
Registered: Oct 2004
Location: scotland
Distribution: slackware 13.1,13.37,14.0,14.1 64 and 32bit and arm
Posts: 152

Rep: Reputation: 20
Question sieve filter on pigeonhole to remove exe attached emails doesn't work


hi all, I am running slackware 14.1 32bit with dovecot and pigeonhole installed from sbopkg.
Problem: I am trying to filter emails with attachments that are exe or zip files into junk.
what has been done: I have looked at http://www.emaildiscussions.com/show...522#post238522 which suggests
Code:
header :contains "X-Attached" [".zip", ".exe"]
but it doesn't touch my test emails. Looking at the email source from thunderbird shows no X-Attached lines, so I added
Code:
header :contains ["Content-Type","name","filename"]
      ["application/x-zip-compressed",".zip",".exe"]
to the script, but mail with zip attachments still goes into inbox. I know the rest of the script is ok as other mail is filtered ok.
does anyone have any clues how to filter by content-type in multi-mime messages.
an example message fragment that should match is:
Code:
Subject: testa1
Content-Type: multipart/mixed;
 boundary="------------020304040002050407030900"

This is a multi-part message in MIME format.
--------------020304040002050407030900
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

this has a compressed file added a1


--------------020304040002050407030900
Content-Type: application/x-zip-compressed;
 name="pinglog.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="pinglog.zip"
thanks
 
Old 01-31-2014, 02:05 AM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
seems to me you're not using the correct syntax for mime-header matching. i would start by reading this RFC.
 
Old 01-31-2014, 02:20 AM   #3
timsoft
Member
 
Registered: Oct 2004
Location: scotland
Distribution: slackware 13.1,13.37,14.0,14.1 64 and 32bit and arm
Posts: 152

Original Poster
Rep: Reputation: 20
Unfortunately, pigeonhole does not appear to have the mime extension. I have already checked the rfc5703, as like you say, it should do the trick happily, but it is not available for pigeonhole AFAIK, which means I need some other way of doing it.

I'm happy to be corrected if I am mistaken, but looking at http://pigeonhole.dovecot.org/index.html would seem to indicate that support may arrive eventually, but is not currently available. any alternative solution would be helpful, as the spammers sending malware as zip and exe (and scr and pif) attachments aren't waiting :-)

(I have put a request for rfc5703 support on the dovecot mailing list, as it would make things much simpler if it was implimented)
 
Old 01-31-2014, 05:44 AM   #4
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
you're right. the dovecot site says the extension "will be added as soon as the necessary infrastructure is available".
regarding the syntax, i think the test should be "header :mime ..." in order to match a mime header.

Quote:
any alternative solution would be helpful, as the spammers sending malware as zip and exe (and scr and pif) attachments aren't waiting :-)
use rbls and content scanners (e.g. clamav for malware).
you could use something like postfix's check_mime_headers to block / hold mail in the meantime.
 
Old 01-31-2014, 11:55 AM   #5
timsoft
Member
 
Registered: Oct 2004
Location: scotland
Distribution: slackware 13.1,13.37,14.0,14.1 64 and 32bit and arm
Posts: 152

Original Poster
Rep: Reputation: 20
thanks for the suggestions berhanie. I will be attempting to use something like clamav or spamassasin eventually.
Until the mime support gets added, the following catches zip and scr attachements

Quote:
body :raw :contains ["application/x-zip-compressed","application/x-silverlight"]
however, catching exe and pif attachments is harder.

I have tried
Quote:
body :raw :regex ["filename=*.exe","filename=*.pif","filename=*.scr","filename=*.zip"]
and alternatively
Quote:
body :raw :regex ["filename\=*.exe","filename\=*.pif","filename\=*.scr","filename\=*.zip"]
but neither work.
 
Old 02-02-2014, 06:56 PM   #6
motomoto
LQ Newbie
 
Registered: Jun 2012
Location: bangladesh
Posts: 5

Rep: Reputation: Disabled
Thumbs down

Quote:
Originally Posted by Berhanie View Post
seems to me you're not using the correct syntax for mime-header matching. i would start by reading this RFC.
Are you american, bro?

Last edited by motomoto; 02-02-2014 at 06:59 PM.
 
Old 02-04-2014, 07:32 PM   #7
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Hi, timsoft. rfc 5173 mentions a :content keyword which is designed to match MIME content-type. It may better to use that than :raw. The .exe may fall under application/octet-stream, but so would other types of files. Regarding the regexp, what you were after was "filename=.*\.exe".
 
1 members found this post helpful.
Old 02-05-2014, 04:43 AM   #8
timsoft
Member
 
Registered: Oct 2004
Location: scotland
Distribution: slackware 13.1,13.37,14.0,14.1 64 and 32bit and arm
Posts: 152

Original Poster
Rep: Reputation: 20
many thanks. I have looked at :content but, like you say, it doesn't help with exe ( or with pif) because there are so many file extensions that use the same content-type

for others looking at this thread,

body :raw :regex ["filename=.*\.exe","filename=.*\.pif","filename=.*\.scr","filename=.*\.zip"]

works (for those using sieve without a :mime implementation)
 
  


Reply

Tags
attachments, filter, mail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Track filter in gtkpod doesn't work cyberpatrol Slackware 15 03-06-2013 01:46 AM
[SOLVED] Can't get sieve to work in Dovecot 1.2.15 with Fetchmail on Debian 6 TobiSGD Linux - Server 1 05-30-2012 08:03 AM
open office doesn't work and gives me the Filter Selection box on starting chadwick Linux - Software 3 06-18-2009 06:09 PM
Add/Remove Software doesn't work in Fedora 10 pradnyasoorya Linux - Software 2 02-26-2009 09:14 AM
apt-get remove doesn't work Yukon Linux - General 5 12-10-2006 11:40 PM


All times are GMT -5. The time now is 12:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration