A.8. Adding MIME and Filetype Checks

These checks depend on features found in Tom Kistner's Exiscan-ACL patch - see Prerequisites for details.

Exiscan-ACL includes support for MIME decoding, and file name suffix checks (or to use a misnomer from the Windows world, "file extension" checks). This check alone will block most Windows virii - but not those that are transmitted in .ZIP archives or those that exploit Outlook/MSIE HTML rendering vulnerabilities - see the discussion on Virus Scanners.

These checks should go into acl_data, before the final accept statement:

  # Reject messages that have serious MIME errors.
  #
  deny
    message     = Serious MIME defect detected ($demime_reason)
    demime      = *
    condition   = ${if >{$demime_errorlevel}{2}{1}{0}}


  # Unpack MIME containers and reject file extensions used by worms.
  # This calls the demime condition again, but it will return cached results.
  # Note that the extension list may be incomplete.
  #
  deny
    message     = We do not accept ".$found_extension" attachments here.
    demime      = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url

You will note that the demime condition is invoked twice in the example above. However, the results are cached, so the message is not actually processed twice.

mirror server hosted at Truenetwork, Russian Federation.