Ah, I did misunderstand what the ".*\.(exe|com)" part of the filter did
(rather badly misunderstood, in fact). I missed the `latest epidemic'
thread and will look there for a suitable filter.
Thanks much.
../i
Professional Software Engineering wrote:
At 14:41 2001-07-24 -0400, i l i a n a f i l b y wrote:
############################################################
# SirCam protection
:0 HB
* ^Content-Disposition: attachment;
* filename=".*\.(exe|com)"
{
LOG='REGJECT - SirCam'
Your rejection message is laying claim that any attachment with a .com or
.exe in it is the SirCam virus. That seems a bit harsh - while .com and
.exe (and a plethora of other extensions on PCs) will typically be an
attachment to be wary of, they're not ALL Sircam. However, Sircam uses a
number of other extensions - basically anything which would invoke windows
to execute the application (.pif, .lnk, .bat are some examples which come
to mind, though I'm sure there are many others).
I think people are overlooking the usefulness of a simple mime filter -
certainly, an external program which must be invoked (not simply a procmail
filter), but one which could physically remove the attachments from a
message and then pass the message along (with a footer indicating that
content was removed). I use a mime filter for several mailing lists I run
through procmail - it gives me the power to eliminate richtext and file
attachments from the list, while not simply rejecting posts.
Perhaps someone who has received this virus can answer a question: does the
ATTACHMENT itself mutate? Not the name, but the actual binary? If it
doesn't, then some part of the mime encoding could be matched, (say, after
checking content-length which would be an inexpensive initial check), which
would give you a positive lock on the virus, without ditching, say,
conversations ABOUT the virus.
P.S. Would it be less prone for trouble if I somehow added something
like this in addition to the recipe above:
Yes, searching for specific matching text within the body would be much
less likely to eat other messages which you may normally want (or at least
which isn't Sircam).
I'd be prone to just use one of the rules presents in "the latest epidemic"
thread though - people are already using them.
- Sean ( who thankfully, hasn't received even one copy of this yet ) Straw
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
--
f i l b y * 6 0 3 . 4 4 8 . 0 0 0 9
l
i t e c h s u p p o r t
a
n
a
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail