I have seen SirCam with ".lnk" extensions, too, (and have heard that
".cmd" has been used, also,):
:0 B
* 1^0 name *=
*".*\.(dat|html?|ini|exe|com|cmd|ba[st]|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wpd|wm[szd])(\..*)?"
*$
{
# whatever you want to do with a quarantined message.
}
is a more complete set of extensions to look for, and:
:0 B
* -3^0
* 4^0 name *=
*".*\.(dat|html?|ini|exe|com|cmd|ba[st]|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wpd|wm[szd])(\..*)?"
*$
* 4^0 ^begin +[0-9]+
+.*\.(dat|html?|ini|exe|com|cmd|ba[st]|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wpd|wm[szd])(\..*)?
*$
* 4^0 ^content-transfer-encoding: *base64
* 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
* 2^0 \<(meta|app|script|object|embed|i?frame|layer)
* 2^0 =3d
{
# whatever you want to do with a quarantined message.
}
will catch most other potentially malicious attachments, (albeit the
html detection is too aggressive.)
John
i. l. i. a. n. a. f. i. l. b. y. writes:
Hi
Could someone please look over this filter recipe which I cobbled
together? I'm not good at this but I need to put something in place,
and I'd like to confirm that this recipe won't break anything. Much.
Thanks.
############################################################
# SirCam protection
:0 HB
* ^Content-Disposition: attachment;
* filename=".*\.(exe|com)"
{
LOG='REGJECT - SirCam'
:0
/var/tmp/SirCam-quarantine
}
--
John Conover Tel. 408.370.2688 conover(_at_)rahul(_dot_)net
631 Lamont Ct. Fax. 408.379.9602 http://www.johncon.com/
Campbell, CA 95008 Cel. 408.772.7733
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail