Joe Altman asked,
| I obtained this recipe from the archives for the list.
| # If the message is multipart, check the body
| :0
| * ^Content-Type:.*multipart
| * B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*=[ ]*($[ ]+)*"?\
| [^"]*\.(vb[se]|ws[fhe]|hta|shs|exe|pif|dll|scr)
| $MAILDIR/infected.mbx
|
| My commment/question: there were originally two recipes in the post, I
| intend to use only this one, as the other seems un-necessary; or
| perhaps optional. Am I correct?
No, there is no redundancy.
| Here is the other recipe:
|
| # First, check to see in the entire message is the virus/worm/etc
| :0
| * ^Content-[-a-z0-9_]+:.*=[ ]*"?[^"]*\.(vbs|bat|pif)
| $MAILDIR/infected.mbx
The first one looks for those extensions on the inner headers of attachments
in a multipart message; the second one looks for such content types if so
declared in the head of any message.
| I notice that locking is not indicated in the recipes; is that an
| oversight, or is there something I don't know/am missing about locking
| in this context?
Good point. Perhaps in the examples infected.mbx was a directory rather
than a flat file?
| Regarding this condition line:
|
| * B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*=[ ]*($[ ]+)*"?\
| [^"]*\.(vb[se]|ws[fhe]|hta|shs|exe|pif|dll|scr)
|
| My questions are:
|
| The ?? over-rides the initial header egrep with a directive to procmail
| to egrep the body?
Yes; it tells procmail to use the preceding-named variable as the search
area for that condition instead of the search area defined on the colon line
(or the default H); "B" is a pseudo-variable for that use, such that "B ??"
sets the body as the search area.
| This: ($[
|
| is explained by this section of the man page, and is absolutely
| necessary for the recipe to succeed:
|
| $ Evaluate the remainder of this condition according to sh(1)
| substitution rules inside double quotes, skip leading whitespace,
| then reparse it
No, that is not the meaning of the dollar sign there. A dollar sign would
mean that only if it appears before the beginning of the regexp proper. If
it is embedded in a regexp that way, and there is no dollar sign at the
beginning to indicate variable expansion or (that's an inclusive OR) the
next character is not valid in the name of a variable (such as a left
bracket), a dollar sign represents a newline in the search area. A caret
can as well ... with its own exceptions. (Sufficiently escaped, or enclosed
in brackets, a dollar sign represents a literal dollar sign.)
| Finally: each of the empty [] contain the famous [tab space] character
| class.
Yes, though usually we put the space first, as Andrew indicated.
| Note: does procmail
| 'understand' \t\s to be a tab followed by a space?
No.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail