I had to add two file name extensions to the potentially malicious M$
Outlook attachments list in the procmail filter script at:
ftp://ftp.johncon.com/john/quarantine.attachment.email.txt
which is click'able off of:
http://www.johncon.com/john/receivedIP/index.html
The file name extensions added were:
".pdf": there were reports, and confirmation, this AM, on the
incidents(_at_)securityfocus(_dot_)com mailing list, of a South American
Virus, zulu, passing script code embedded in Adobe pdf formatted
files which Outlook permits to be executed, regardless of the
Internet security settings. The ".ps" file name extensions were
added for the same reason, (although Postscript files are probably
considered depreciated.)
".jpg" and ".jpeg": there was a report on Bugtraq several days ago
that jpeg Outlook attachments are rendered through IE's html
interpreter, so may contain malicious embedded scripts, instead of
image data, (which was confirmed, this AM.) The ".gif", ".txt",
".png", ".tif", and ".tiff" file name extensions were added for
the same reaons.
The procmail script fragment:
:0
* ^content-type:.*multipart/((signed)|(encrypted));
! quarantine(_at_)somedomain(_dot_)com
#
ws = '[ ]*($[ ]+)*'
# ^^ ^^
# tab-space tab-space
#
dq = '"'
#
ext =
'(a(d[ep]|s[dx])|ba[st]|c(hm|il|md|om)|d(at|ll|o[ct])|e(ml|xe)|gif|h(lp|t(a|ml?))|ini|j(se?|pe?g)|lnk|m(d[abew]|s[ip])|ocx|p([lm]|[po]t|if|p?s|df|ng)|r(eg|tf)|s(c[rt]|h[bs])|t(xt|iff?)|vb[se]?|w(m[szd]|pd|s[cfh])|xl[swt])'
#
:0 B
* -3^0
* 4^0 $ name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}$
* 4^0 $ begin${ws}[0-9]+${ws}.*\.${ext}(\..*)?${ws}$
* 4^0 $ ^content-transfer-encoding:${ws}base64
* 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
* 2^0 \<(meta|app|script|object|embed|i?frame|layer)
* 2^0 =3d
! quarantine(_at_)somedomain(_dot_)com
should, additionally, detect these file name extensions.
John
--
John Conover Tel. 408.370.2688 conover(_at_)rahul(_dot_)net
631 Lamont Ct. Fax. 408.379.9602 http://www.johncon.com/
Campbell, CA 95008 Cel. 408.772.7733
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail