On Thu, Jan 17, 2002 at 07:02:52PM -0800, Eric Hilding wrote:
If I setup a quick recipe to nuke anything From:.*/_.* will this also
thrash any legitimate "firstname_lastname(_at_)somedomain(_dot_)com" e-mails
which use
an underscore between the names (as compared to starting with an
underscore)???
Nuking things with a slash followed by an underscore probably won't get
many hits, from BadTrans or anything else. A quick search of the list
archives will get you lots of discussion on BadTrans and other safeties
that can be applied in procmail. What you most likely want is something
more along the lines of:
:0
* ^From:.*<_
* ^Content-Type:.*boundary="====_ABC1234567890DEF_===="
* B ?? ^Content-Type: audio/x-wav;
* B ?? ^Content-ID: <EA4DMGBP9p>
/dev/null
If you want extra speed and can sacrifice some precision, take out the
body checks ("B ??").
And I haven't had any hits, but I think I detect
W32(_dot_)Goner(_dot_)A(_at_)mm with:
:0
* ^From:.*<_
* ^Subject:[ ]Hi
* B ?? gone\.scr
/dev/null
And because it bears mentioning again, ALWAYS use something like:
# Generic Win32 attachment blocker...
:0 fwh
* 9876543210^0
^Content-[a-z0-9_-]+:.*="?[^"]*\.(vb[se]|ws[fh]|hta|shs|pif|(doc|txt|xls)\.)
* 9876543210^0 B ?? ^Content-[a-z0-9_-]+:.*($[ ].*)*=[ ]*($[
]+)*"?[^"]*\.(vb[se]|ws[fh]|hta|shs|pif|(doc|txt|xls)\.)
* ^Subject:\/.*
| formail -I "Subject: [POSSIBLE VIRUS]$MATCH" -A "X-Warning: Trapped possible
worm - this email contains executable code which" -A "X-Warning: may be
dangerous. Please inspect it carefully before using ANY" -A "X-Warning:
attachment it contains. Install virus detection software."
--
Paul Chvostek
<paul(_at_)it(_dot_)ca>
Operations / Development / Abuse / Whatever vox: +1 416 598-0000
it.canada http://www.it.ca/
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail