Yea, metamail(1) with the -w argument might work. You will have to
look at the man page on how to disable interactive prompts. Its kind
of complicated with metamail. Its the -d or -x argument(s), or
MM_NOASK and maybe the MM_NOASK variable, or something like that.
Maybe metasend(1) can be coerced to send the attachment'less message
back to the user, too.
John
poohba(_at_)poohba(_dot_)adsl(_dot_)duke(_dot_)edu writes:
I am wondering if you can remove the attachment and save just the attachment
to a file? Right Now I am using what you said and saving the entire body but
I don't want the whole body.
John Conover wrote:
I haven't tried it, but instead of a quarantine account, something
like:
:0 wfh
* ^content-type: +.*multipart
| formail -R "Content-Type:" "X-Content-Type:"
to change:
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0F80F.92E8C4A0"
to:
X-Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0F80F.92E8C4A0"
might defang the attachment in a malicious e-mail.
Letting the e-mail go into a user's mailbox without a "Content-type: "
record might be a simpler approach to protect Outlook users on a large
site, (the quarantine account fills up pretty fast.)
I suppose that one could set up a Smartlist/Procmail account where
users could bounce such messages for changing the "X-Content: " back
to a "Content-type: " and then returns the message back to the user.
Might work. Anyone familiar with Outlook that could verify it?
John
John Conover writes:
#
# Encrypted attachements can not be searched:
#
:0
* ^content-type:.*multipart/((signed)|(encrypted));
! quarantine(_at_)somedomain(_dot_)com
#
# All other mime mail can contain embedded, uuencode, or html
# malicious code:
#
:0 B
* -3^0
* 4^0 name *=
*".*\.(dat|html?|ini|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd])(\..*)?"
*$
* 4^0 ^begin +[0-9]+
+.*\.(dat|html?|ini|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd])(\..*)?
*$
* 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
* 2^0 \<(meta|app|script|object|embed|i?frame|layer)
* 2^0 =3d
! quarantine(_at_)somedomain(_dot_)com
might catch most things.
Things that are suspicious are diverted to the
quarantine(_at_)somedomain(_dot_)com special account.
John
BTW, the detection of malicious HTML, (the last three conditions,)
code is kind of weak in this implementation, and should probably be
re-written; the trouble is that messages produced by MS products have
the '=3d' malicious parts that can span lines, giving negative
positives.
Maybe someone could contribute a better implementation.
Bruno Lobato writes:
Hi;
How can I know whether an e-mail comes with an attachment and if it is =
an .exe file? I want to re-direct all the messages with .exe attachment
=
file to a special account.
--
John Conover Tel. 408.370.2688 conover(_at_)rahul(_dot_)net
631 Lamont Ct. Fax. 408.379.9602 http://www.johncon.com/
Campbell, CA 95008 Cel. 408.772.7733
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
--
John Conover Tel. 408.370.2688 conover(_at_)rahul(_dot_)net
631 Lamont Ct. Fax. 408.379.9602 http://www.johncon.com/
Campbell, CA 95008 Cel. 408.772.7733
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail