procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: spamfilter recipe alteration

2001-03-06 20:17:16
from [Professional Software Engineering] [Permanent Link] 
At 19:51 2001-03-06 -0500, I l i a n a F i l b y wrote:

In the above case, you can see I'm filtering out email with the `Here
you have, ;o' subject.  I'd like to make a similar filter, but I'd like
to filter a specific attachment instead of a specific subject (NakedWife.exe).
I'd recommend that you look in the list archives over the past week, in which there was a discussion about how to optimally filter for attachments of various types, titled "Virus Protection" (which IS what you're doing, not spam filtering). .exe, .pif, .vbs, and some others were of specific interest. That recipe could easily be modified to target only specific attachment names. 


Could one of you please tell me how to alter the recipe I'm using
accordingly?
Your specific rule is inappropriate to 'modification' to handling a totally different type of condition. 

From Philip's post:

# First, check to see in the entire message is the virus/worm/etc
:0
* ^Content-[-a-z0-9_]+:.*=[ ]*"?\
        [^"]*\.(vb[se]|ws[fhe]|hta|shs|exe|pif|dll|scr)
$MAILDIR/infected.mbx

# If the message is multipart, check the body
:0
* ^Content-Type:.*multipart
* B ?? ^Content-[-a-z0-9_]+:.*($[       ].*)*=[ ]*($[   ]+)*"?\
        [^"]*\.(vb[se]|ws[fhe]|hta|shs|exe|pif|dll|scr)
$MAILDIR/infected.mbx
tweak as per your needs - basically, the entire contents of the continuation of the content match could be replaced with the filename you're trying to match: 

:0
* ^Content-[-a-z0-9_]+:.*=[ ]*"?\
        nakedwife\.exe
$MAILDIR/infected.mbx
Note that while this particular trojan might have a constant name, the generic stuff shown further above will capture a variety of the "stealth" attachments which simply change the attachment name.
IMO, if someone needs to validly send a script or program executable in this day and age, they can send the damn thing in a ZIP or other archive - and everyone I do business with is made very aware of my position on this. 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Help on simple spam filter (fwd), Professional Software Engineering
Next by Date:  Re: procmail.log, Philip Guenther
Previous by Thread:  spamfilter recipe alteration, I l i a n a F i l b y
Next by Thread:  Filtering w. qmail and uw-imap, CLIFFORD ILKAY
Indexes:  [Date] [Thread] [Top] [All Lists]