FYI, a lot of companies these days are bouncing e-mail from the
Internet with potentially malicious attachments at their smtp gateway
to protect their intranet/infrastructure.
Attached is a delivery refusal notice from abc.com/disney.com.
John
BTW, maybe a fascist policy, but probably justified these days if your
company implements it as a corporate wide policy. The cost of
virus/worm cleanup is escalating to big numbers in large companies.
John Conover writes:
I have seen SirCam with ".lnk" extensions, too, (and have heard that
".cmd" has been used, also,):
:0 B
* 1^0 name *=
*".*\.(dat|html?|ini|exe|com|cmd|ba[st]|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wpd|wm[szd])(\..*)?"
*$
{
# whatever you want to do with a quarantined message.
}
is a more complete set of extensions to look for, and:
:0 B
* -3^0
* 4^0 name *=
*".*\.(dat|html?|ini|exe|com|cmd|ba[st]|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wpd|wm[szd])(\..*)?"
*$
* 4^0 ^begin +[0-9]+
+.*\.(dat|html?|ini|exe|com|cmd|ba[st]|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wpd|wm[szd])(\..*)?
*$
* 4^0 ^content-transfer-encoding: *base64
* 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
* 2^0 \<(meta|app|script|object|embed|i?frame|layer)
* 2^0 =3d
{
# whatever you want to do with a quarantined message.
}
will catch most other potentially malicious attachments, (albeit the
html detection is too aggressive.)
John
i. l. i. a. n. a. f. i. l. b. y. writes:
Hi
Could someone please look over this filter recipe which I cobbled
together? I'm not good at this but I need to put something in place,
and I'd like to confirm that this recipe won't break anything. Much.
Thanks.
############################################################
# SirCam protection
:0 HB
* ^Content-Disposition: attachment;
* filename=".*\.(exe|com)"
{
LOG='REGJECT - SirCam'
:0
/var/tmp/SirCam-quarantine
}
--
John Conover Tel. 408.370.2688 conover(_at_)rahul(_dot_)net
631 Lamont Ct. Fax. 408.379.9602 http://www.johncon.com/
Campbell, CA 95008 Cel. 408.772.7733
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
--
John Conover Tel. 408.370.2688 conover(_at_)rahul(_dot_)net
631 Lamont Ct. Fax. 408.379.9602 http://www.johncon.com/
Campbell, CA 95008 Cel. 408.772.7733
X-Envelope-From:Vscan(_dot_)Postmaster(_at_)disney(_dot_)com Thu Jul 12
03:40:43 2001
Received: by panic.noceast.dws.disney.com; Wed, 11 Jul 2001 23:20:55 -0400
Message-Id:
3b4d17975391001(_at_)panic(_dot_)noceast(_dot_)dws(_dot_)disney(_dot_)com
From: Vscan(_dot_)Postmaster(_at_)disney(_dot_)com
To: xxx(_at_)yyy(_dot_)zzz
Subject: Warning: Message Not Delivered - Attachment Restriction
Date: 12 Jul 2001 03:40:44 -0000
NOTICE * * NOTICE * * NOTICE * * NOTICE * * NOTICE * *
Your message has been trapped and will be automatically deleted
due to its attachments. Due to the risk posed by e-mail viruses
we are not accepting messages that have any of the following
attachment types:
*.VB *.VB* *.JS *.HTM *.HTML *.SHB *.SCT *.CMD
*.WSF *.BAT *.BAS *.COM *.EXE *.SCR *.PIF *.WSC
Please do not resend your message, as it will be rejected again for
containing attachments which are restricted.
This is an automated message. Please do not reply.
Your message information follows:
RECIPIENT(s):
xxx(_at_)yyy(_dot_)zzz
SUBJECT:
xxx yyy zzz
MESSAGE ID:
<3B4D1825(_dot_)77EC8AE3(_at_)xxx(_dot_)yyy(_dot_)zzz>
HOST:
DWSMHPANIC
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail