On Fri, 19 Apr 2002, Luz Lopez wrote:
I want to use procmail to filter virus, I have a procmailrc working with
sendmail, but I Have'nt idea how can I to filter the virus W32/Klez(_at_)mm?
I believe the procmail sanitizer would catch it because it uses a .pif
file for its payload.
http://www.impsec.org/email-tools/procmail-security.html
However, here's the simple procmail rule I'm using for it (as shown, this
dumps it in a folder named "virus"):
:0 Bh
* > 50000
* ^Content-Type:[ ]*(audio/x-|application)
* 1^0 ()<i?frame[ ]*src=(3d)?cid:
* 1^0 ^--[^ ]+$$Content-
virus
The '$$Content-' rule is really the magic one -- Klez sends broken MIME
format with an extra blank line between one of the bodypart separators
and the embedded Content- header. The $$ there matches two consecutive
newlines.
You could probably go with > 200000 in the first test if you wanted to,
the Klez messages always seem to be about 260k.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail