[Top] [All Lists]

Re: Filtering attachments

2001-06-24 12:34:29

Hi Stephen. It means that if the message contains either a filename,
or is uuencoded, it will be quarantine, or if it contains any two of
the three, an html document, or script, or =3d, then it will be

   -3 + 4 = +1
   -3 + 2 + 2 = +1

so its a logical 'or' and 'and' combination.


Stephen Patterson writes:
On 18/06, John Conover scribed:

    # Encrypted attachements can not be searched:
    * ^content-type:.*multipart/((signed)|(encrypted));
    ! quarantine(_at_)somedomain(_dot_)com
    # All other mime mail can contain embedded, uuencode, or html
    # malicious code:
    :0 B
    * -3^0
    * 4^0 name *= 
    * 4^0 ^begin +[0-9]+ 
    * 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
    * 2^0 \<(meta|app|script|object|embed|i?frame|layer)
    * 2^0 =3d
    ! quarantine(_at_)somedomain(_dot_)com

might catch most things.

Things that are suspicious are diverted to the
quarantine(_at_)somedomain(_dot_)com special account.

BTW, the detection of malicious HTML, (the last three conditions,)
code is kind of weak in this implementation, and should probably be
re-written; the trouble is that messages produced by MS products have
the '=3d' malicious parts that can span lines, giving negative

Maybe someone could contribute a better implementation.

What does the line starting * -3^0 do? I can make sense of the rest
(which I've added to my  .procmailrc :) ).

Bruno Lobato writes:

How can I know whether an e-mail comes with an attachment and if it is =
an .exe file? I want to re-direct all the messages with .exe attachment =
file to a special account.


John Conover        Tel. 408.370.2688  conover(_at_)rahul(_dot_)net
631 Lamont Ct.      Fax. 408.379.9602
Campbell, CA 95008  Cel. 408.772.7733  

procmail mailing list

<Prev in Thread] Current Thread [Next in Thread>