The list of file name extensions that can contain malicious
attachments has grown considerably. See:
http://www.johncon.com/john/QuarantineAttachments/
for particulars.
John
BTW, Philip did the regex optimization on that one, too.
Gregory Berardi writes:
The following rule was posted to the procmail list February 2001.
Credits were given to Philip Guenther.
It doesn't block in all cases and I really don't understand why.
I tried adding code to break, bounce or remove the attachment
but that didn't work. Would be nice if we could get some direction
on how to make this work.
This might give you a heads up and possible a solution to this
type of request.
# The regexp for matching whitespace in the embedded header field
# of a multipart message. We have to handle wrapped lines.
ws = '[ ]*($[ ]+)*'
# The regexp for matching 'anything' inside an embedded header
# field of a multipart message. That is, it matches anything
# except the newline (not followed by a whitespace character)
# that terminates the header field.
dotstar = '.*($[ ].*)*'
# A single double-quote. For use in variable expanded regexps to
# avoid problems related to how procmail implements the variable
# expansion
dq = '"'
# Any condition that uses any of these variables in a its regexp
# must have the '$' special before the regexp to tell procmail to
# do variable expansion on the regexp.
# That matches if there exists a embedded Content-whatever header field
# whose value, ignoring legal whitespace, matches the regexp
# .*name="filename"
ext = '\.(scr|vbs|shs|bat|com|exe|pif)'
:0 B
* $ ^Content-(Type|Disposition)*:${dotstar}name${ws}=${ws}${dq}.*${ext}${dq}
/dev/null
On Wednesday 28 November 2001 05:29 am, you wrote:
I'm just looking for the best way of blocking viruses from coming into my
mail system using procmail. I want to basically drop messages that contain
known widely spread virii like Sircam and snowwhite, and bounce a message
to the sender with information about the virus, and how to fix it.
I also want to block all incoming attachments that are executable, such as
.vbs and .exe. With this I'd like it to bounce a message to the sender
saying that we don't accept executable attachments, and also send a message
to the intended recipient listing the sender, the subject of the message,
and the name of the file(s). Is this a good idea do you guys think?
My main question is how to do this. I've looked at a lot of tutorials, but
still can't figure it out. Could someone please help me? And is there a
place where I can automatically download signatures(more like little
procmail scripts) to get rid of known wild viruses? This would be even
better, because you could have a cron job to download the latest bunch of
virii detectors, and use them. If a detector hadn't hit for 6 months it
could automatically be dropped to save CPU. Thanks,
David
--
John Conover, conover(_at_)rahul(_dot_)net, http://www.johncon.com/
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail