On 2 Aug, Professional Software Engineering wrote:
| At 19:10 2002-08-02 -0400, fleet(_at_)teachout(_dot_)org did say:
| >:0 B
| >* name=\/.*(\.exe|\.scr|\.pif|\.bat)
| >virus
|
| [...]
|
| Here's an example module I use to block executable type attachments from a
| mailing list (where they can be assumed generally to be viruses, not
| something some clueless individual thought they should attach to share with
| others).
|
| [snip interesting virus.rc]
Although the OP seemed to be looking for a generic attachment filter
(though the use of the term "whitelist" made it less clear), and what
follows does not satisfy that criteria, it is what I use for virus
filtering. It's offered only as a possible different way to do it.
No users read mail on any Windows platform here, so this is more an
educational exercise and is offered here ONLY as a different and
possibly interesting way of doing this and NOT as a comprehensive
anti-virus solution.
It differs in that each virus "definition" is in a separate file,
"discovered" dynamically by the rcfile that follows. All I have to do
is drop a new file in the definitions directory and it is automatically
used against subsequent messages. It also has the added benefit (for me
anyway) of catching some of the brain-dead follow-ups.
As with Sean's, there are some variables that should be self
explanatory. Just in case ...
VIRUSDEFS will be assigned to, and adjusted each iteration, further down
in the rcfile. It is tested at the top because this one is called
recursively and the first block is only run the first time through.
XNOSPAM may or may not be set by an earlier rcfile.
VIRUSDEFS_DIR is the directory where the individual definitions are.
LOGFILEDIR is pretty obvious as should be NL.
The synopsis is it iterates over a listing of all the (non-dot) files
in VIRUSDEFS_DIR, then removes each one from VIRUSDEFS and recurses
until a virus is discovered or there are no definitions left.
VIRUS_DETECTED is set to the definition file name before going there
(INCLUDERC) and set to the empty string in the included file if there
is NO match. Notices are sent out, including the virus type, but no
bounces. That's my personal philosophical preference.
# /usr/local/share/procmail/virusrc
:0
* VIRUSDEFS ?? ^^^^
* -2147483646^0
* -1^0 XNOSPAM ?? ^^list (procmail|sf|suse security)\>
* -1^0 ^X-BeenThere: procmail(_at_)lists\(_dot_)RWTH-Aachen\(_dot_)DE\>
* -1^0 ^List-Id:.*\.list-id\.securityfocus\.com\>
* -1^0 ^X-Mailinglist: suse-security
* 2147483647^0
{ VIRUSDEFS=`ls $VIRUSDEFS_DIR` }
:0 E
* $ VIRUSDEFS ?? ^^\/[^$NL]+
{
VIRUS_DETECTED = $MATCH # will be unset if not matched in INCLUDERC
INCLUDERC = $VIRUSDEFS_DIR/$VIRUS_DETECTED
:0
* ! VIRUS_DETECTED ?? ^^^^
{
:0
* ^Return-Path: <\/[^>]+
{ vSENDER = $MATCH }
:0
* ! LOGNAME ?? ^^deh^^
{ vCC = '-c deh' }
:0 hic
| ( echo "Probable virus, possibly from $vSENDER"; \
echo "has been quarantined. See me for further details"; ) \
|mail $LOGNAME $vCC -s "** Notice: $VIRUS_DETECTED **"
LOGABSTRACT=yes
:0
| gzip -c >>$LOGFILEDIR/virus.gz
:0 e
/dev/null
}
:0 E
* ! VIRUS_COLLATERAL ?? ^^^^
{
:0
* ! LOGNAME ?? ^^deh^^
{ vCC = '-c deh' }
:0 hic
| ( echo "Some follow-up message to $VIRUS_COLLATERAL has mercifully"; \
echo "been bit-bucketed. See me for further details"; ) \
|mail $LOGNAME $vCC -s "** $VIRUS_COLLATERAL collateral crap **"
LOGABSTRACT=no
:0
| gzip -c >>$LOGFILEDIR/virus.crap.gz
:0 e
/dev/null
}
:0 E
* $ VIRUSDEFS ?? ^^.+$NL\/(.+\>?)+
{ VIRUSDEFS = "$MATCH" }
:0 E
{ VIRUSDEFS = "" }
}
:0
* ! VIRUSDEFS ?? ^^^^
{ INCLUDERC = $_ }
A virus definition may be as simple as:
# /usr/local/share/procmail/.virus/W32.Nimda.A
# W32(_dot_)Nimda(_dot_)A(_at_)mm
:0
* 1^0 ^Subject: Xdesktop
* 1^0 B ?? Content-Type: audio/x-wav
* 1^0 B ?? name="?readme\.e(xe|ml)"?
* -1^0
{ }
:0 E
{ VIRUS_DETECTED = "" }
or slightly more complicated:
# /usr/local/share/procmail/.virus/W32.Frethem
# W32(_dot_)Frethem(_dot_)K(_at_)mm
:0
* 2147483643^0
* 4^0 ^Subject: Re: Your password\!
* 4^0 B ?? name=Decrypt-password\.exe
* 4^0 B ?? name=Password\.txt
* 1^0 B ?? You can access
* 1^0 B ?? very important
* 1^0 B ?? information by
* 1^0 B ?? this password
* -2147483646^0
{
:0
* < 32768
{ VIRUS_COLLATERAL = $VIRUS_DETECTED VIRUS_DETECTED = "" }
}
:0 E
{ VIRUS_DETECTED = "" }
--
Reply to list please, or append "8" to "procmail" in address if you must.
Spammers' unrelenting address harvesting forces me to this...reluctantly.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail