Re: Filtering attachments

Hi Stephen. It means that if the message contains either a filename,
or is uuencoded, it will be quarantine, or if it contains any two of
the three, an html document, or script, or =3d, then it will be
quarantined.

   -3 + 4 = +1
   -3 + 2 + 2 = +1

so its a logical 'or' and 'and' combination.

        John

Stephen Patterson writes:
> On 18/06, John Conover scribed:
> >     #
> >     # Encrypted attachements can not be searched:
> >     #
> >     :0
> >     * ^content-type:.*multipart/((signed)|(encrypted));
> >     ! quarantine(_at_)somedomain(_dot_)com
> >     #
> >     # All other mime mail can contain embedded, uuencode, or html
> >     # malicious code:
> >     #
> >     :0 B
> >     * -3^0
> >     * 4^0 name *= 
> > *".*\.(dat|html?|ini|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd])(\..*)?"
> >  *$
> >     * 4^0 ^begin +[0-9]+ 
> > +.*\.(dat|html?|ini|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd])(\..*)?
> >  *$
> >     * 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
> >     * 2^0 \<(meta|app|script|object|embed|i?frame|layer)
> >     * 2^0 =3d
> >     ! quarantine(_at_)somedomain(_dot_)com
> >
> > might catch most things.
> >
> > Things that are suspicious are diverted to the
> > quarantine(_at_)somedomain(_dot_)com special account.
> >
> >         John
> >         
> > BTW, the detection of malicious HTML, (the last three conditions,)
> > code is kind of weak in this implementation, and should probably be
> > re-written; the trouble is that messages produced by MS products have
> > the '=3d' malicious parts that can span lines, giving negative
> > positives.
> >
> > Maybe someone could contribute a better implementation.
> What does the line starting * -3^0 do? I can make sense of the rest
> (which I've added to my  .procmailrc :) ).
>
> > Bruno Lobato writes:
> > > Hi;
> > > How can I know whether an e-mail comes with an attachment and if it is =
> > > an .exe file? I want to re-direct all the messages with .exe attachment =
> > > file to a special account.
-- 

John Conover        Tel. 408.370.2688  conover(_at_)rahul(_dot_)net
631 Lamont Ct.      Fax. 408.379.9602  http://www.johncon.com/
Campbell, CA 95008  Cel. 408.772.7733  

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail