At 19:10 2002-08-02 -0400, fleet(_at_)teachout(_dot_)org did say:
:0 B
* name=\/.*(\.exe|\.scr|\.pif|\.bat)
virus
This is working for me at the moment (just recently started this procmail
business). If you don't already know, you only see the "name=" business
when looking at the message with a text editor. (If you don't want/need
the MATCH variable, remove the "\/".
There you go again - YOUR message talking about this matches this criteria.
Here's an example module I use to block executable type attachments from a
mailing list (where they can be assumed generally to be viruses, not
something some clueless individual thought they should attach to share with
others). Variables should be self-explanitory, and the bouncer.rc could be
just a simple forward rule. The FILTER_OPTIONS bit doesn't need to be here
for your use of this - it relates to the one script being used on a couple
dozen different lists, each of which can opt in to any of the various
filters provided (without this filter - which also truncates the body from
the message, listadmins would still see the message bounce because it has
attachments or exceeds an allowed post size (or perhaps because the sender
isn't a subscriber), but those bounces get sent to the sender of the
message, which isn't desired when dealing with viruses.
#
# virus.rc
#
# Define the filter ID
FILTER_ID="VIRUS"
# this filter is run before most of the others, so that it can attempt
# to capture potential virus messages. Well, most viruses would be bounced
# to the sender with an attachment advisory. However, some - snowwhite for
# instance, don't have a valid return address - so we should catch those,
# purge the body and forward the headers to the listadmin.
# X-Loop must match what is being used elsewhere
# NOTE: because of some viruses, we DO NOT exclude FROM_MAILER !
:0
* $ FILTER_OPTIONS ?? [ ]$FILTER_ID\>
* ! ^X-Loop:[ ]+$LOOPALERT
{
:0
* ^From:(_dot_)*hahaha(_at_)sexyfun\(_dot_)net
{
VIRUSNAME="SNOWWHITE"
}
# Klez (from Bart Schaefer on procmail list 20020427)
:0EB
* > 50000
* ^Content-Type:[ ]*(audio/x-|application)
* 1^0 ()<i?frame[ ]*src=(3d)?cid:
* 1^0 ^--[^ ]+$$Content-
* 1^0 ^--[^ ]+$--[^ ]+$
{
VIRUSNAME="KLEZ"
}
# Generic PC executable name
# Excerpted from:
# <http://www.johncon.com/john/QuarantineAttachments/>
:0E
{
dq = '"'
ws = '[ ]*($[ ]+)*'
ext = '(as[xp]|\
ba[st]|\
c(lass|md|om)|\
dll|\
e(ml|xe)|\
ini|\
j(ava|se?|sp|tmpl)|\
lnk|\
p(atch|if)|\
s(cr|ys)|\
vb[es]?|\
w(s[cfh]))'
:0B
* -3^0
* 1^0 ^Content-Type:[ ]*multipart/
* 4^0 B ?? ^Content-Type:[ ]*application
* 4^0 $ B ??
name${ws}=${ws}${dq}?.*\.${ext}(\..*)?${dq}?${ws}$
* 4^0 $ B ?? begin${ws}[0-9]+${ws}.*\.${ext}(\..*)?${ws}$
{
VIRUSNAME="GENERIC EXECUTABLE"
}
}
:0
* ! VIRUSNAME ?? ^^^^
{
# trucate the body
:0bfi
| echo "(body discarded)"
# cannot reply to the sender because it is probably forged.
# (given crap like Klez and SnoWhite), so just
# send advisory to the listadmin.
REPLYTO=$BOUNCER
BOUNCEMSG=virus.msg
BOUNCESUBJ="virus rejected [$VIRUSNAME]"
# Include bounce handler code
INCLUDERC=bouncer.rc
}
}
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail