I have the following recipe setup on all my systems (the same recipe
has been posted a few times over the past few weeks on this list):
SUBJECT=`formail -xSubject: \
| sed -e 's/[;\`\\]/ /g' \
| expand | sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`
FROM=`formail -rt -xTo: \
| sed -e 's/[;\`\\]/ /g' \
| expand | sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`
:0 B:
* $ ^Content-Type: application/mixed; name=.*"$SUBJECT".*
{
:0 hc:
* ^X-Mailer: Microsoft
* ^Content-Type: multipart/mixed;
| (formail -r -I "Subject: \"SirCam\" Worm Warning"; \
echo "Your computer appears to be infected with the
\"SirCam\" Email Worm. "; \
echo "As a result, you sent me a message titled
\"$SUBJECT\" which contained this virus. "; \
echo; \
echo "For more information please visit
http://www.symantec.com/avcenter/venc/data/w32(_dot_)sircam(_dot_)worm(_at_)mm(_dot_)html
"; \
echo "There you will also find information on how to
remove the virus."; \
echo; \
echo "More information can be found at: "; \
echo
"http://www.wired.com/news/technology/0,1282,45427,00.html and "; \
echo
"http://www.zdnet.com/zdnn/stories/news/0,4586,2792260,00.html?chkpt=zdnnp1tp02
"; \
) | /usr/lib/sendmail -t
:0:
/dev/null
}
...and for a while there it worked fine, then this morning I found
two emails in my inbox (and other users) with the SirCam virus in them.
Why did it fail?
Here's one of the messages:
-------------------------------------------------------------------
Return-Path: <martinsz(_at_)mail(_dot_)lv>
Received: from users.pcraft.com (mx1.pcraft.com [206.168.220.51])
by speedy.pcraft.com (8.11.2/8.11.2-humbug) with ESMTP id
f71CQYZ15887
for <kirash(_at_)speedy(_dot_)pcraft(_dot_)com>; Wed, 1 Aug 2001
06:26:35 -0600
Received: from hellfire.mail.lv (hellfire.mail.lv [195.2.117.40])
by users.pcraft.com (8.9.3/8.9.3-MX1) with ESMTP id GAA05158
for <ashley(_at_)pcraft(_dot_)com>; Wed, 1 Aug 2001 06:12:29 -0600
Received: from martins.microlink.lv ([62.85.13.20])
by hellfire.mail.lv (8.9.3/8.9.3) with SMTP id PAA13477
for <ashley(_at_)pcraft(_dot_)com>; Wed, 1 Aug 2001 15:04:00 +0300
(EEST)
Message-Id: <200108011204(_dot_)PAA13477(_at_)hellfire(_dot_)mail(_dot_)lv>
From: "martins"<martinsz(_at_)mail(_dot_)lv>
To: ashley(_at_)pcraft(_dot_)com
Subject: =?ISO-8859-1?Q?en=5Fsysmanager=5B1=5D?=
date: Wed, 1 Aug 2001 15:12:29 +0300
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed;
boundary="----4CD47F35_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
------4CD47F35_Outlook_Express_message_boundary
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: message text
Hi! How are you=3F
I send you this file in order to have your advice
See you later=2E Thanks
------4CD47F35_Outlook_Express_message_boundary
X-Mozilla-IMAP-Part: 2
Content-Type: application/mixed; name=en_sysmanager[1].pdf.zip.lnk
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=en_sysmanager[1].pdf.zip.lnk
This body part will be downloaded on demand.
------4CD47F35_Outlook_Express_message_boundary
------4CD47F35_Outlook_Express_message_boundary--
-------------------------------------------------------------------
The interesting thing is, eventhough it lists in my INBOX as a 1Mb
file, what you see above is all there is to it. I'm baffled.
--
W | I haven't lost my mind; it's backed up on tape somewhere.
+--------------------------------------------------------------------
Ashley M. Kirchner <mailto:ashley(_at_)pcraft(_dot_)com> . 303.442.6410
x130
IT Director / SysAdmin / WebSmith . 800.441.3873 x130
Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave. #6
http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail