From: Bennett Todd <bet(_at_)rahul(_dot_)net>
Your message was snagged by my email worm filter, which I have
available from <URL:http://people.oven.com/bet/mailfilt/>. I've been
meaning to try and rewrite it as a procmail filter, although I may
switch goals, as I'm shifting to maildrop (using it with
Courier-IMAP, as they have a harmonious agreement on a virtual user
database /etc/userdb).
I dunno how to translate my mailfilt patterns, which are processed
by PCRE and then later by perl, into procmail regexps, but it
shouldn't be too hard I shouldn't think. . . .
Well, the message was snagged by my procmail worm filter, which
I'll just post. It essentially what Philip proposed last winter,
with only very minor adjustment by me to fit my own needs.
:0 # conditions here came direct from Philip Guenther
* 9876543210^0 ^Content-[-a-z0-9_]+:.*="?[^"]*\.(vb[se]|ws[fh]|hta|shs)
* 9876543210^0 B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*=[ ]*\
($[ ]+)*"?[^"]*\.(vb[se]|ws[fh]|hta|shs)
{ RECIPE = "${RECIPE:+$RECIPE }VIR_01b" }
You can have the action line be to save to a quarantine file. I
have it assign values to vars that later get logged and also
attached to the message before it is quarantined.
Incidentally, the next one (which came first in my rc) also caught
that mail:
:0 HB # probably redundant with next recipe; we'll see
* ^Content-.*: .*\.(sh|vb)s
{ RECIPE = "${RECIPE:+$RECIPE }VIR_01a" }
I'll probably get rid of this one. I have been waiting
about 8 months to see if it would catch essentially the
same thing or not.
--
Netcom has imploded. Please now use NOTnetcom.com for mail.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ex-Netcommies: Mail "forwards" for free forwarding service!
NOT affiliated with EarthLink, Inc.'s Netcom brand identity.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail