procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Antivirus Recipe

2001-04-23 14:00:14
from [Professional Software Engineering] [Permanent Link] 
At 13:45 2001-04-23 -0500, Chris Cook wrote:

        I am using a recipe to filter emails that contain known attached
viruses.  The problem is that the recipe is also dumping messages that
What I do below doesn't address the base problem with your filter -- the logic isn't adequate. There have been rather good attachment filters discussed on this list in the not too distant past. 


PS - If anyone could point me to a script that has a feature to also
send a notification email that the message was infected with a virus,
that would be great.  Thanks!
You should consider checking the list archives. Notably, where you currently /dev/null the message, you'd use a pipe delivery to the standard syntax for an autoreply.
Turn on verbose logging and send some messages through which SHOULD trigger it, and some which SHOULDN'T, but do. Then examine the log.
The first thing I see wrong is that in your braced rules, you have one rule that checks for a certain text in the body (though notably, you're NOT checking to see if it is the filename) -- and do NOTHING for delivery, following that with another rule that says "throw this bugger away just because".
When you haven't yet debugged a script, it's a good idea to toss the filtered messages into a file rather than sending them directly to trash.
Note, since every one of your rules has the same content type check, you should just wrap them. Also, .* at the END of a line regexp is um, unneeded. Think about it. 


:0 hBHw
* ^Content-type: (multipart/mixed|application/octet-stream)
{
        :0B
        * .*creative\.exe
        /dev/null

        :0B
        * .*KDDKNHKD\.EXE
        /dev/null

        :0B
        * .*Navidad\.exe
        /dev/null

        # let me point out this is TERRIBLY vague
        :0B
        * .*\.(vbs|wsf|shs|scr)

        :0B
        * .*dwarf4you\.exe
        /dev/null

        :0B
        * .*porno\.exe
        /dev/null

        :0B
        * .*joke\.exe
        /dev/null

        :0B
        * .*atchim\.exe
        /dev/null

        :0B
        * .*Emanuel\.exe
        /dev/null

        :0B
        * .*NakedWife\.exe
        /dev/null
}
The above rewrite could be consolodated further by combining the filenames in an OR arrangement: 

        * .*(Emamuel\.exe|NakedWife\.exe)

etc.



:0 hBHw
 *^Content-type: (multipart/mixed|application/octet-stream)
 {
     :0 B
     * .*NakedWife\.exe.*
:0
}
/dev/null
}
This syntax is screwed as well - follow your braces. See what your logfile says about unmatched braces. 


---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Updated Procmail Quick Start contains Maildir info -- feedback requested, Mr. Wade
Next by Date:  Re: Adding Reply-To to list messages, Dallman Ross
Previous by Thread:  Antivirus Recipe, Chris Cook
Next by Thread:  Re: Antivirus Recipe, Chris Cook
Indexes:  [Date] [Thread] [Top] [All Lists]