A.8. Adding MIME and Filetype Checks
These checks depend on features found in Tom Kistner's
Exiscan-ACL patch - see Prerequisites for details.
Exiscan-ACL includes support for MIME decoding, and file name
suffix checks (or to use a misnomer from the Windows world,
"file extension" checks). This check alone will
block most Windows virii - but not those that are transmitted in
.ZIP archives or those that exploit
Outlook/MSIE HTML rendering vulnerabilities - see the discussion
on Virus Scanners.
These checks should go into acl_data,
before the final accept statement:
# Reject messages that have serious MIME errors.
#
deny
message = Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
# Unpack MIME containers and reject file extensions used by worms.
# This calls the demime condition again, but it will return cached results.
# Note that the extension list may be incomplete.
#
deny
message = We do not accept ".$found_extension" attachments here.
demime = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url
|
You will note that the demime condition is
invoked twice in the example above. However, the results are
cached, so the message is not actually processed twice.