procmail
[Top] [All Lists]

Re: Best way of blocking virii

2001-11-28 22:38:45
At 19:52 2001-11-28 -0600, Gregory Berardi wrote:

It doesn't block in all cases and  I really don't understand why.

An examination of VERBOSE logs of those messages which fail to be caught would be in order.

I tried adding code to break, bounce or remove the attachment but that didn't work. Would be nice if we could get some direction on how to make this work.

I'd start with using a more recent version of the rule, which AFAICR was being "developed on the fly" in this forum in response to a similar query. The extension list in what you posted was VERY lacking. After some discussion, Timothy J. Luoma posted the following back in mid-march of this year, though in June, John Connover posted a wallop of a script that dealt with many more (search the archives for "Filtering Attachments" in the subject - one of Mr. Connover's posts specifically addressed whacking the Content-Type header to cause the content to not be seen as an actual attachment, though it was offered as theory):

:0
*
Content-[-a-z0-9_]+:.*=[ ]*"?[^"]*\.ad[ep]|ba[st]|c(hm|md|om|pl|rt)|exe|h(lp|ta
)|i(n[fs]|sp)|js[e]|lnk
{ INCLUDERC=$PROCDIR/itsavirus.rc }


:0
* ^Content-Type:.*multipart
* B ?? ^Content-[-a-z0-9_]+:.*($[       ].*)*=[ ]*($[   ]+)*"?\
[^"]*\.ad[ep]|ba[st]|c(hm|md|om|pl|rt)|exe|h(lp|ta)|i(n[fs]|sp)|js[e]|lnk
{ INCLUDERC=$PROCDIR/itsavirus.rc }


The itsavirus.rc would do whatever you wanted to the message - bounce it, stuff it in a folder and notify the recipient (or sender), etc.

On Wednesday 28 November 2001 05:29 am, you wrote:
> I'm just looking for the best way of blocking viruses from coming into my
> mail system using procmail. I want to basically drop messages that contain
> known widely spread virii like Sircam and snowwhite, and bounce a message
> to the sender with information about the virus, and how to fix it.

Keep in mind that some viruses use a bogus envelope sender - you won't be able to send a notice to the infected user (even bouncing it at the SMTP transaction wou;dn't do anything useful in these cases).

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>