"David W. Tamkin" <dattier(_at_)ripco(_dot_)com> writes:
Sean advised Zvika,
| # Various .VBS, .BAT, and .PIF virus/worms/trojans
| :0:
| * 9876543210^0 ^Content-[-a-z0-9_]+:.*="?[^"]*\.(vbs|bat|pif)
| * 9876543210^0 B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*="?[^"]*\.(vbs|bat|pif)
| $MAILDIR/infected.mbx
explaining,
| The scoring is used here to say "if we found it in the header, don't bother
| wasting the cycles to look for it in the body."
If there is no weight on the recipe (or the "x" value of the weight is 0),
the condition is an unnegated regexp, and procmail finds a match, doesn't it
declare the condition a match and stop looking through the rest of the search
area?
As I understand, it does, so
# Various .VBS, .BAT, and .PIF virus/worms/trojans
:0HB:
* ^Content-[-a-z0-9_]+:.*="?[^"]*\.(vbs|bat|pif)
$MAILDIR/infected.mbx
should accomplish the same thing with the same efficiency, plus the addi-
tional efficiency of having far less rcfile text to slog through.
Well, you missed a slight difference between the two regexps: the
body one has to handle wrapped header fields explicitly. However, the
additional regexp code to handle that will not affect its ability to
match occurences in the header but rather only slow it down slightly.
Even better, however, is to only search the body if the header specifies
a multipart message.
# First, check to see in the entire message is the virus/worm/etc
:0
* ^Content-[-a-z0-9_]+:.*=[ ]*"?[^"]*\.(vbs|bat|pif)
$MAILDIR/infected.mbx
# If the message is multipart, check the body
:0
* ^Content-Type:.*multipart
* B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*=[ ]*($[ ]+)*"?\
[^"]*\.(vb[se]|ws[fhe]|hta|shs|exe|pif|dll|scr)
$MAILDIR/infected.mbx
I've added some other nasty suffixes to the list.
Philip Guenther
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail