On 27 Aug, Bill Tangren wrote:
| I have a mail server on a Redhat Linux 7.0 box. I am using both sendmail and
procmail.
| The problem is that I also run a web site on the same box, and the site has a
help(_at_)(_dot_)(_dot_)(_dot_)
| email address on one of the pages. Apparently quite a number of people who
are now
| infected with the SirCam virus once visited that page, because we are being
inundated
| with SirCam email. I would like to filter out this email, using the
characteristic "I send you
| this file in order to have your advice", or some substring thereof. Is it
best to use
| sendmail to do this, or should I use procmail, and if I use procmail, how is
it done? I have
| tried sample filters, such as
|
| :0 B
| * ^advice*
| {
| :0 c
| /dev/null
| }
|
| and *many* variations on this theme. The procmail logs indicate that the test
_always_
| fails, so the file is never sent to /dev/null.
|
That incantation will only match a line in the body that starts with
"advic". The "^" anchors it to the beginning of the line, and the "e*"
says zero or more "e", rendering it pointless at the end of the regular
expression. Even if this were constructed properly, it seems rather
broad. Plonking any message that contains the word advice, especially
to a help desk, seems destined to catch more than it should.
This was discussed (some might say) ad nauseum a couple weeks back, and
you would have found plenty of ideas in the list archive. However, I was
one of the participants in that discussion and have an updated recipe
I've been using. Since it's not been posted in it's present form,
here's the basic parts:
:0
* ! ^X-BeenThere: procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE\>
* ! ^List-Id:.*\.list-id\.securityfocus\.com\>
* 715827883^0 B ?? Hi\! How are you *(\?|=3F)
* 715827883^0 B ?? Hola como estas *(\?|=3F)
* 715827883^0 B ?? I send you this file in order to have your advice
* 715827883^0 B ?? I hope you like the file that I send( t)?o you
* 715827883^0 B ?? I hope you can help me with this file that I send
* 715827883^0 B ?? This is the file with the information that you ask for
* 715827883^0 B ?? See you later(\.|=2E) Thanks
* 715827883^0 B ?? Te mando este archivo para que me des tu punto de vista
* 715827883^0 B ?? Espero te guste este archivo que te mando
* 715827883^0 B ?? Espero me puedas ayudar con el archivo que te mando
* 715827883^0 B ?? Este es el archivo con la informacion que ma pediste
* 715827883^0 B ?? Nos vemos pronto, gracias(\.|=2E)
* -2^0
{
:0
* ^Content-Type: multipart/mixed; boundary=.*Outlook_Express
* > 81920
{
xSUBJ=`formail -zx Subject:`
:0
* $ B ?? Content-Disposition: attachment; filename=$xSUBJ\..+\.[^.]+
/dev/null
}
:0 E
{
LOGABSTRACT=no
:0
| gzip -c >>$LOGFILEDIR/sircam.crap.gz
:0 e
/dev/null
}
}
N.B. It not only filters the virus, but any discussion of same that
does not take place on this list or one of the bugtraq lists. If
that's too broad, anchor all the regular expressions to the beginning of
a line (^), and eliminate the second ":0 E" recipe. This has caught a
half dozen or so messages with payload (and missed none) mailed directly
to me, another dozen or so that came through mail lists but had the
payload "de-mimed", and probably another dozen or so nonsense responses
on the same lists. It will not filter anything from this list or from
the various bugtraq lists.
If used as is, $LOGFILEDIR needs either to be assigned a value, or
replaced with a suitable path. The concept, for me, is to divert the
collateral crap without deleting it in case something worthwhile is
caught by accident. So far it hasn't. YMMV. Also the message size test
of 81920 bytes is arbitrary, and probably unnecessary. It's been fine
for me, but you may want to change it to suit your needs or eliminate
altogether.
And to answer your question more directly, AFAIK doing this with
sendmail is difficult if doable at all. I don't believe you can filter
message content "out of the box" with sendmail. I suppose it might be
possible with libmilter, or maybe other ways, but that's beyond my
knowledge.
--
/"\
Don Hammond \ / ASCII Ribbon Campaign
Raleigh, NC US X Against HTML Mail,
/ \ and News Too
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail