Hi qmailers, I extend checkattach to do further checking. I call it checkHAB. Attached is the extended script. I hope this is useful. cheers -- Noel G. Mistula Network & Systems Administrator Meriton Apartments Pty Ltd
#!/bin/bash # ####################################################################### # qmail -- checkHAB # Author: Noel G. Mistula <[EMAIL PROTECTED]> # URL: http://www.meriton.com.au # URL: http://www.karimbla.com.au # URL: http://www.karimbla.com.au/mistronix # Date: 28 June 1999 Version: 0.1 checkattach # Modified: 7 July 1999 Version: 0.3 checkattach # Modified: 7 May 2000 Version: 0.4 checkattach # Modified: 15 March 2001 Version: 0.4.5 checkattach # Modified: 16 March 2001 Version: 0.4.7 checkhab # I appreciate any comment to this quick and dirty way of filtering attachment. ####################################################################### ################################### # This is release under GNU/GPL. ################################### # WHAT is checkHAB? # checkHAB is based on checkattach script. # The HAB stands for; # H for HTML formatted # A for Attachment # B for email with Begin 644 inside # Basically, checkHAB is an extension of checkattach. Instead of # executing three successive scripts to check for HTML formatted email, # unwanted Attachment, and email with Begin 644. We just run one # script to do the job. Thus, we have checkHAB. I use to have this # three scripts to do the job because grep -e doesn't work as I # wish it to do. I was able to combine this because I decided # to use a temporary file within the script. If you have an idea # on doing this without using a temp file then that would be great. ############################################################# # For info on Filtering Attachments in qmail # goto http://www.fehcom.de/qmail/filter.html # I would like to thank Dr. Erwin Hoffmann for documenting this # and his efforts to write CHECKSUBJ based on this script. ############################################################# # INSTALLATION and USAGE: # 1) Save this script as; /usr/local/bin/checkhab # 2) Make sure that there are _no_ ^M characters in the script. # I use gvim to check this. Or search for dedos.pl in the qmail # mailing list and use that to strip the ^M characters. # 3) Then; chmod 755 /usr/local/bin/checkhab # 4) Then; chown root:qmail /usr/local/bin/checkhab # 5) Then edit the user's .qmail file by adding the line; # |/usr/local/bin/checkhab # This must be _before_ the ./Maildir/ # Start program here ver 0.4.7. # HTML bounce message htmlmsg () { echo "Hi $SENDER," echo " " echo "We received the email you sent to <$RECIPIENT> ." echo "However, your email has been held for quarantine and evaluation". echo "Because the email is HTML formatted. Note that, tiny dangerous" echo "programs can easily be embedded into a HTML formatted email." echo "Our company's policy is to accept PLAIN TEXT only email." echo "For our protection, quarantined email can be deleted anytime." echo "Please notify <$RECIPIENT> by phone." echo " " echo "Please call us (5555-5555) or email to [EMAIL PROTECTED]," echo "if you require clarification. Thank you." echo " " } # Attachment bounce message attachmsg () { echo "Hi $SENDER," echo " " echo "We received the email you sent to <$RECIPIENT> ." echo "However, your email has been held for quarantine and evaluation". echo "Because the attachment you sent may contain virus or is against" echo "our company's policy. For our protection, quarantined email can" echo "be deleted anytime. Please notify <$RECIPIENT> by phone." echo " --- Filetype of the attachment you sent is $ATTYPE" echo " " echo "Please call us (5555-5555) or email to [EMAIL PROTECTED]," echo "if you require clarification. Thank you." echo " " } # Begin 644 bounce message beginmsg () { echo "Hi $SENDER," echo " " echo "We received the email you sent to <$RECIPIENT> ." echo "However, your email has been held for quarantine and evaluation". echo "Because the email has an executable program inside. The" echo "executable program may contain virus or similar payload." echo "For our protection, quarantined email can be deleted anytime." echo "Please notify <$RECIPIENT> by phone." echo " --- Executable program inside, begin 644" echo " " echo "Please call us (5555-5555) or email to [EMAIL PROTECTED]," echo "if you require clarification. Thank you." echo " " } # Things to do when HTML formatting is detected checkhtml () { # Forward to Junk Quarantine # Read about qmail-inject to customize this line. /var/qmail/bin/qmail-inject [EMAIL PROTECTED] [EMAIL PROTECTED] < $tmpfile # This will clean up the temporary file. rm -f $tmpfile # Bounce to sender with explanation only no original email. # Please read checktype() if you want to bounce the original email # BTW, I need help here. HOW can I pass the Subject: from the original # message to the qmail-inject below? I tried to get the $SUBJECT but # nothing is there? Any help? htmlmsg | /var/qmail/bin/qmail-inject [EMAIL PROTECTED] "$SENDER" exit 99; } # Check for _not_ allowed attachment. checktype () { # Forward to Junk Quarantine if found, otherwise continue case $ATTYPE in VBS | VB | ASF | HSQ | GEN | ADE | ADP | BAS | CHM | CPL | CRT | INF | INS | ISP | MDB | MDE | MSC | MSI | MSP | MST | LNK | PCD | PIF | POT | PWZ | REG | SCR | SHS | HQX | JS | VBE | RTF | JSE | CSS | WSH | WSC | WSF | SCT | HTA | VXD | EXE | URL | HTM | DOT | HLP | PAK | DAT | PCX | COM | BAT | CMD | AVI | MOV | RAM | OCX | CAB | CLA | RA | MPE | MPG | MP3 | MP4 | WAV | AUD | AU | DLL) # Forward to Junk Quarantine # Read about qmail-inject to customize this line. /var/qmail/bin/qmail-inject [EMAIL PROTECTED] [EMAIL PROTECTED] < $tmpfile # This will clean up the temporary file. rm -f $tmpfile # If you want to add this message to the original # email, then uncomment the # attachmsg below. # This is normally use when you bounce the email # by using exit 100. # attachmsg # Use exit 100, to bounce email (use attachmsg above). # Use exit 99, if you don't want to bounce the email. # exit 100;; # exit 99;; ###### Being NICE to the Sender use this ##### ###### because the Sender is too STUPID ##### ###### s/he doesn't understand the bounced ##### ###### message and gobbledigok attachment ##### # Another way to customize the bounce message without # sending back the original (and attachment) is to # use exit 99. The problem with this is, some # consider this a spam because the From in the # envelope and the header are not the same. # Any suggestion? # BTW, I need help here. HOW can I pass the Subject: from the original # message to the qmail-inject below? I tried to get the $SUBJECT but # nothing is there? Any help? attachmsg | /var/qmail/bin/qmail-inject [EMAIL PROTECTED] "$SENDER" # You can do it like this as well # attachmsg | /var/qmail/bin/qmail-inject "$SENDER" # Or like this # attachmsg | /var/qmail/bin/qmail-inject -f"$RECIPIENT" "$SENDER" exit 99;; *) # This will clean up the temporary file. # rm -f $tmpfile # exit 0;; esac } # Things to do when begin 644 is detected checkbegin () { # Forward to Junk Quarantine # Read about qmail-inject to customize this line. /var/qmail/bin/qmail-inject [EMAIL PROTECTED] [EMAIL PROTECTED] < $tmpfile # This will clean up the temporary file. rm -f $tmpfile # Bounce to sender with explanation # Please read checktype() if you want to bounce the original email # BTW, I need help here. HOW can I pass the Subject: from the original # message to the qmail-inject below? I tried to get the $SUBJECT but # nothing is there? Any help? beginmsg | /var/qmail/bin/qmail-inject [EMAIL PROTECTED] "$SENDER" exit 99; } ###################### # MAIN part of the script. # I had to do the next two lines of code to have forwarding options. # Because the "egrep -e" will not work well if a line starts with "-". # (Read more about egrep/grep to understand what I'm talking about.) # I know this will create temporary file and this will become # a __security__ problem.... I hope not...;) # However, if you have a better idea than this, just let me know. ;) # NB: you cannot use (or can you?) tmpfile=$HOME/tmpmail$$ because if # the recipient is an alias then it will create the temp file in there. tmpfile=/tmp/tmpmail$$ cat - > $tmpfile ### Checking for HTML formatted email ### # People will say why is he blocking HTML formatted emails? # Because you can run many scripting in HTML formatted emails!. # I don't need those fancy multi-color, different sizes fonts and banners on my # email!. Besides *nix people mostly use character based MUA's ;) COUNTHTML=0 COUNTHTML=`grep "^Content-Type: text/html" $tmpfile | wc -l` if [ $COUNTHTML -ne 0 ]; then checkhtml fi ### Checking Attachment Filetype ### # The good old grep and gawk combo is right here. ATTACHTYPE=`grep "name=" $tmpfile | gawk 'BEGIN {FS="."}; {print toupper($NF)}' | cut -c -3` for ATTYPE in $ATTACHTYPE do checktype $ATTYPE done ### Checking for Begin 644 and Begin 744 ### # The are some MUA's that inserts begin 644 inside instead of EXE file # attachment. I have been a victim of happy99.exe and I've learned my lesson. # Because sometimes happy99.exe is being sent as begin 644. And those # script kiddies who do this can be checked out :). COUNTBEGIN=0 COUNTBEGIN=`egrep "^begin 6|^begin 7" $tmpfile | wc -l` if [ $COUNTBEGIN -ne 0 ]; then checkbegin fi ### This space is available to check out another type of SPAM ### # Just wait ... # # This will clean up the temporary file rm -f $tmpfile exit 0
