FYI, the site that has the procmail script referenced is at:
http://www.johncon.com/john/QuarantineAttachments/
which gives a walk through of the code. There is a fragment click'able
from that page that can be cut-n-sticked into a ~/.procmailrc.
Philip Guenther did a lot of the work on the fragment.
Thanks Philip!
John Conover
BTW, it does/did catch Badtrans.B, hubris, love letter, magistra, etc.
Maybe a link from www.procmail.org to the above URL would be
appropriate.
Professional Software Engineering writes:
At 19:52 2001-11-28 -0600, Gregory Berardi wrote:
It doesn't block in all cases and I really don't understand why.
An examination of VERBOSE logs of those messages which fail to be caught
would be in order.
I tried adding code to break, bounce or remove the attachment but that
didn't work. Would be nice if we could get some direction on how to make
this work.
I'd start with using a more recent version of the rule, which AFAICR was
being "developed on the fly" in this forum in response to a similar
query. The extension list in what you posted was VERY lacking. After some
discussion, Timothy J. Luoma posted the following back in mid-march of this
year, though in June, John Connover posted a wallop of a script that dealt
with many more (search the archives for "Filtering Attachments" in the
subject - one of Mr. Connover's posts specifically addressed whacking the
Content-Type header to cause the content to not be seen as an actual
attachment, though it was offered as theory):
:0
*
Content-[-a-z0-9_]+:.*=[
]*"?[^"]*\.ad[ep]|ba[st]|c(hm|md|om|pl|rt)|exe|h(lp|ta
)|i(n[fs]|sp)|js[e]|lnk
{ INCLUDERC=$PROCDIR/itsavirus.rc }
:0
* ^Content-Type:.*multipart
* B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*=[ ]*($[ ]+)*"?\
[^"]*\.ad[ep]|ba[st]|c(hm|md|om|pl|rt)|exe|h(lp|ta)|i(n[fs]|sp)|js[e]|lnk
{ INCLUDERC=$PROCDIR/itsavirus.rc }
The itsavirus.rc would do whatever you wanted to the message - bounce it,
stuff it in a folder and notify the recipient (or sender), etc.
On Wednesday 28 November 2001 05:29 am, you wrote:
I'm just looking for the best way of blocking viruses from coming into my
mail system using procmail. I want to basically drop messages that contain
known widely spread virii like Sircam and snowwhite, and bounce a message
to the sender with information about the virus, and how to fix it.
Keep in mind that some viruses use a bogus envelope sender - you won't be
able to send a notice to the infected user (even bouncing it at the SMTP
transaction wou;dn't do anything useful in these cases).
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
--
John Conover, conover(_at_)rahul(_dot_)net, http://www.johncon.com/
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail