On Sat, 31 May 2003 11:47:13 +0200, Dallman Ross
<dman(_at_)nomotek(_dot_)com> wrote:
=> On Fri, May 30, 2003 at 09:21:37PM -0700, procmail(_at_)deliberate(_dot_)net
wrote:
=> > I just got several extremely nasty looking emails all of
=> > which just now snuck by my otherwise 100% accurate attachment
=> > filters.
I'm still not sure if/why a plain text file should be a
worry, but I do know that good old M$ email client software is
awfully tender sometimes.
=> Not sure why they made it past the old virus checker that Phillip
=> Guenther posted four or five years ago.
I wasn't actually using Philip's filter but one of my own
assembly which only looked for octet-stream, which was all I ever
really needed besides a few specialized tests, like for Klez.
Here's my old [edited] recipe:
:0 B
* > 30000
* $ ^Content-Type:[
]application/octet-stream;\>(.*\<)?name=(\")?${VIRUSPGM}(\")?$
{ BLOCK_THIS="Generalized octet-stream virus trap" }
NB: the condition line wraps above in the space tab literal
=> I use a revised version
=> of it to this day, as one of my only two virus recipes. It caught
=> your sample fine in my test harness. I have yet to see a virus get
=> by both the virus recipes. Here's the one in question, so you
=> can stop reinventing the wheel:
Thanks for posting it.
=> :0 # 030403 () based loosely on an original from Philip Guenther
=> * $ $GO^0 ^Content-[^$WS]+:.*=$DQ?[^$DQ]*\.$NASTYEXT
=> * $ $STOP^0 ! CTYPE ?? ^^multipart
I like the way it uses the Content header to decide on
whether to do the next condition. I haven't used negative
scoring like that works, but it makes a lot of sense and makes
nicely readable and efficient code.
=> * $ B ?? $GO^0 ^Content-[^$WS]+:.*($[$WS].*)*=[$WS]*($[$WS]+)*$DQ?\
=> [^$DQ]*\.$NASTYEXT
I'm confused about the ($[$WS]+)* part. How does that
parse?
=> $GO is an oversaturated "infinity" of 9876543210. $STOP is its negative.
Nice. I use an $OR varibalbe that combines the scoring
part like this in my variable:
OR = "2147483647^0"
so that I can write a list of absolutes such as:
:0
* $ $OR sometest here
* $ $OR someothertest here
* $ $OR etc etc etc
{ some spam action }
=> NASTYEXT = (hta|pif|scr|shs|vb[se]|ws[fh]|(doc|txt|xls)\\.)
As previously posted, I use a broader definition for this
set of extentions.
=> Hope that helps.
Except for the confusion above, it does, thanks.
Cheers,
- Don
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail