HI Kathy,
I'm new too and learned by fire when Klez struck
we just deployed procmail only a few days ago to stop spam
which Webshield Solaris doesnt do. now used procmail to
help supplement Webshield's virus fighting (and reduce
its workload too)
I wrote very similar to yours except more broad - prohibit
ALL executable attachments in emails which I made company policy.
as for Content-Type:, I just search for its presence (doesnt matter
what comes after it)
as for file=name="xxxxx",
be aware that these are Legal MIME as well:
name="xxxx"
filename=xxxxx
name=xxxxx
maybe thats where its slipping through?
Best way to debug procmail is to do full analysis of the email that
slipped thru (i know, can be hard to get)
example from the KLEZ varient we get:
Content-Type: audio/x-midi;
name=height.bat
(where audio/x-midi can be anything)
take care,
--Ed
Greetings,
I'm having problems with a procmail recipe, when it comes to consistantly
catching the klez-g virus.
Sometimes it will catch the virus...and other times it slips through. Any
and all suggestions would be greatly appreciated, as I'm extremely new to
procmail.
This is the recipe:
:0
*^Content-[tT]ype:[
]*(audio/x-midi|text/html|multipart/alternative|multipar
t/mixed|application/octet-stream|application/mixed)
{
:0 HB
*^Content-Disposition: attachment;
*filename=".*\.(scr|vbs|wsf|vbe|wsh|hta|exe|com|bat|pif)"
{
:0 fhbw
|/bin/sed -e 's/\([nN][aA][mM][eE]=".*\....\)"/\1.txt"/'
:0 c
/var/log/virusmail
}
}
Thanks in advance!
Kathy
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail