procmail
[Top] [All Lists]

Re: Filtering attachments

2001-06-18 18:32:13

Yea, metamail(1) with the -w argument might work. You will have to
look at the man page on how to disable interactive prompts. Its kind
of complicated with metamail. Its the -d or -x argument(s), or
MM_NOASK and maybe the MM_NOASK variable, or something like that.

Maybe metasend(1) can be coerced to send the attachment'less message
back to the user, too.

        John

poohba(_at_)poohba(_dot_)adsl(_dot_)duke(_dot_)edu writes:
I am wondering if you can remove the attachment and save just the attachment 
to a file?  Right Now I am using what you said and saving the entire body but 
I don't want the whole body.

John Conover wrote:

I haven't tried it, but instead of a quarantine account, something
like:

    :0 wfh
    * ^content-type: +.*multipart
    | formail -R "Content-Type:" "X-Content-Type:"

to change:

    Content-Type: multipart/alternative;
        boundary="----_=_NextPart_001_01C0F80F.92E8C4A0"

to:

    X-Content-Type: multipart/alternative;
        boundary="----_=_NextPart_001_01C0F80F.92E8C4A0"

might defang the attachment in a malicious e-mail.

Letting the e-mail go into a user's mailbox without a "Content-type: "
record might be a simpler approach to protect Outlook users on a large
site, (the quarantine account fills up pretty fast.)

I suppose that one could set up a Smartlist/Procmail account where
users could bounce such messages for changing the "X-Content: " back
to a "Content-type: " and then returns the message back to the user.

Might work. Anyone familiar with Outlook that could verify it?

        John

John Conover writes:

    #
    # Encrypted attachements can not be searched:
    #
    :0
    * ^content-type:.*multipart/((signed)|(encrypted));
    ! quarantine(_at_)somedomain(_dot_)com
    #
    # All other mime mail can contain embedded, uuencode, or html
    # malicious code:
    #
    :0 B
    * -3^0
    * 4^0 name *= 
*".*\.(dat|html?|ini|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd])(\..*)?"
 *$
    * 4^0 ^begin +[0-9]+ 
+.*\.(dat|html?|ini|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd])(\..*)?
 *$
    * 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
    * 2^0 \<(meta|app|script|object|embed|i?frame|layer)
    * 2^0 =3d
    ! quarantine(_at_)somedomain(_dot_)com

might catch most things.

Things that are suspicious are diverted to the
quarantine(_at_)somedomain(_dot_)com special account.

        John

BTW, the detection of malicious HTML, (the last three conditions,)
code is kind of weak in this implementation, and should probably be
re-written; the trouble is that messages produced by MS products have
the '=3d' malicious parts that can span lines, giving negative
positives.

Maybe someone could contribute a better implementation.

Bruno Lobato writes:

Hi;
How can I know whether an e-mail comes with an attachment and if it is =
an .exe file? I want to re-direct all the messages with .exe attachment 
=
file to a special account.

--

John Conover        Tel. 408.370.2688  conover(_at_)rahul(_dot_)net
631 Lamont Ct.      Fax. 408.379.9602  http://www.johncon.com/
Campbell, CA 95008  Cel. 408.772.7733

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
-- 

John Conover        Tel. 408.370.2688  conover(_at_)rahul(_dot_)net
631 Lamont Ct.      Fax. 408.379.9602  http://www.johncon.com/
Campbell, CA 95008  Cel. 408.772.7733  

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>