Re: filter for malicious M$ Outlook attachments update

Philip Guenther <guenther(_at_)gac(_dot_)edu> reworked the malicious Microsoft
Outlook attachment quarantine/filter I posted on 18 June, 2001, and
updated on 18 July:

    #
    # Encrypted attachements can not be searched:
    #
    :0
    * ^content-type:.*multipart/((signed)|(encrypted));
    ! quarantine(_at_)somedomain(_dot_)com
    #
    # All other mime mail can contain embedded, uuencode, or html
    # malicious code:
    #
    # Folding whitespace, (the characters between the block braces are
    # a tab character, hex 09, followed by a space character, hex 20,)
    # which allows the filename of an attachment in the body of a
    # message's MIME construct to be on the line following the header
    # field.
    #
    ws = '[      ]*($[   ]+)*'
    #
    # Double quote, (to avoid problems caused by how the procmail
    # shell expands conditions).
    #
    dq = '"'
    #
    # Extension list (sorted and optimized).
    #
    ext = 
'(a(d[ep]|s[dx])|ba[st]|c(hm|il|md|om)|d(at|ll|o[ct])|e(ml|xe)|h(lp|t(a|ml?))|ini|jse?|lnk|m(d[abew]|s[ip])|ocx|p([lm]|[po]t|if|ps)|r(eg|tf)|s(c[rt]|h[bs])|vb[se]?|w(m[szd]|pd|s[cfh])|xl[swt])'
    #
    :0 B
    * -3^0
    * 4^0 $ name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}$
    * 4^0 $ begin${ws}[0-9]+${ws}.*\.${ext}(\..*)?${ws}$
    * 4^0 $ ^content-transfer-encoding:${ws}base64
    * 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
    * 2^0 \<(meta|app|script|object|embed|i?frame|layer)
    * 2^0 =3d
    ! quarantine(_at_)somedomain(_dot_)com

The filename no longer has to be on the same line as the MIME header
field, (as per RFC's,) and the search is considerably faster.

Probably be a good idea to use Philip's rework.

Thanks, Philip.

        John

BTW, be careful of the the "ws" variable when saving the file. Emacs
has a tendency to eliminate the space, or the tab, under certain
circumstances. The tab-space sequence seems to work the best. YMMV.

John Conover writes:
> I posted it here a few weeks ago, and had to make an addition tonight,
> (the "base64 encoding):
>
>     #
>     # Encrypted attachements can not be searched:
>     #
>     :0
>     * ^content-type:.*multipart/((signed)|(encrypted));
>     ! quarantine(_at_)somedomain(_dot_)com
>     #
>     # All other mime mail can contain embedded, uuencode, or html
>     # malicious code:
>     #
>     :0 B
>     * -3^0
>     * 4^0 name *= 
> *".*\.(dat|html?|ini|exe|com|cmd|ba[st]|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wpd|wm[szd])(\..*)?"
>  *$
>     * 4^0 ^begin +[0-9]+ 
> +.*\.(dat|html?|ini|exe|com|cmd|ba[st]|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wpd|wm[szd])(\..*)?
>  *$
>     * 4^0 ^content-transfer-encoding: *base64
>     * 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
>     * 2^0 \<(meta|app|script|object|embed|i?frame|layer)
>     * 2^0 =3d
>     ! quarantine(_at_)somedomain(_dot_)com
-- 

John Conover        Tel. 408.370.2688  conover(_at_)rahul(_dot_)net
631 Lamont Ct.      Fax. 408.379.9602  http://www.johncon.com/
Campbell, CA 95008  Cel. 408.772.7733  

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail