Greetings all,
A colleague of mine asked me to try and solve this problem.
He has a procmailrc designed only to trap "nasties", I assume more
granular user-specific stuff is done via the users' .procmailrc, but
can't comment further. Lately another "nasty" has reared it's head and
nothing seems to stop it. Here are the specifics:
In the last few weeks a few emails with .exe and .scr attachments
have got through - all virii. From looking at the message source it has
been observed that they've got their MIME type set to audio/x-wav, but
the file extension looks normal - not double extensions like .jpg.exe
Note the first recipe caught (until now anyway) all .exe and .scr
Note: All these have been culled from the procmail list and similar
reputable resources.
My own inept rambling:
I'm wondering if the best way to catch these **latest** nasties is to
insert an *additional* recipe (before/after[?]) "octet-stream") possibly
looking something like this:
:0
*^Content-type: (multipart/mixed|application/x-wav)
{
:0 HB
*^Content-Disposition: (attachment|inline);
*filename=".*\.(vbs|wsf|eml|shs|exe|nws|chm|pif|vbe|hta|scr|com|lnk)"
{
#etcetera as below (in the existing procmailrc)
################################################################
BUT:
Here's the existing procmailrc, irrelevant local comments clipped for
brevity:
################################################################
SHELL=/bin/sh
LOGFILE=/home/log/procmaillog
#changed to /home/log/procmaillog to avoid filling up /var partition
#/var is slightly undersized on Cobalt devices typically
LOGABSTRACT=ALL
VERBOSE=ON
#################################################################
:0
*^Content-type: (multipart/mixed|application/octet-stream)
{
:0 HB
*^Content-Disposition: (attachment|inline);
*filename=".*\.(vbs|wsf|eml|shs|exe|nws|chm|pif|vbe|hta|scr|com|lnk)"
{
SHELL=/bin/bash
:0 fhbw
|/bin/sed -e \
's/\([nN][aA][mM][eE]=".*\.[vV][bB][sS]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[wW][sS][fF]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mN][eE]=".*\.[eE][mM][lL]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mN][eE]=".*\.[nN][wW][sS]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[sS][hH][sS]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[eE][xX][eE]\)"/\1.not"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[cC][hH][mM]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[pP][iI][fF]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[hH][tT][aA]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[vV][bB][eE]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[sS][cC][rR]\)"/\1.txt"/' \
-e \
{
:0:
/home/tmp/crap
}
}
###############################################################
:0:
* ! ^X-BeenThere: procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
* 1^0 B ?? I send you this file in order to have your advice
* 1^0 B ?? I hope you like the file that I send( t)?o you
* 1^0 B ?? This is the file with the information that you ask for
* B ?? See you later(\.|=2E) Thanks
/home/tmp/sircam
##############################################################
:0
* ^From: .*\<hahaha(_at_)sexyfun\(_dot_)net\>
/dev/null
###############################################################
:0
* ^Subject: Young Naked Wife!
/dev/null
################################################################
:0
* ^X-MS-TNEF-Correlator:
* ^Subject:.*homepage
/dev/null
#################################################################
Ideas or suggestions (or major scolding!) anyone????
Headers of specimen payload-bearing emails can be posted if required.
Regards, and as always TIA,
-Colin
--
Colin J. Raven
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail