A.8. Adding MIME and Filetype Checks

These checks depend on features found in Tom Kistner's Exiscan-ACL patch - see Prerequisites for details.

Exiscan-ACL includes support for MIME decoding, and file name suffix checks (or to use a misnomer from the Windows world, "file extension" checks). This check alone will block most Windows virii - but not those that are transmitted in .ZIP archives or those that exploit Outlook/MSIE HTML rendering vulnerabilities - see the discussion on Virus Scanners.

These checks should go into acl_data, before the final accept statement:

  # Reject messages that have serious MIME errors.
  #
  deny
    message     = Serious MIME defect detected ($demime_reason)
    demime      = *
    condition   = ${if >{$demime_errorlevel}{2}{1}{0}}


  # Unpack MIME containers and reject file extensions used by worms.
  # This calls the demime condition again, but it will return cached results.
  # Note that the extension list may be incomplete.
  #
  deny
    message     = We do not accept ".$found_extension" attachments here.
    demime      = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url

You will note that the demime condition is invoked twice in the example above. However, the results are cached, so the message is not actually processed twice.