At 10:29 2003-01-13 -0800, procmail(_at_)deliberate(_dot_)net did say:
On Mon, 13 Jan 2003 01:44:19 +0200, "Nikos K. Kantarakias" wrote:
=> * name[ ]*=.*\.(bat|pif|vb[as]|scr|lnk|com|exe|{[-0-9a-f]+})"?[ ]*$
Apologies for what may be a stupid question, but I'm a
bit confused as to why you'd be trapping for an "extention" that
is apparently a hexadecimal number. Can you say more about that?
I don't know Nikos' reasoning (nor do I use this receipe), but it is likely
that is there to catch M$ CLSID (esp with the curley braces as
delimiters). If you have access to an M$ box, run "regedit", and traverse
the registry tree to HKEY_CLASSES_ROOT\CLSID\, and you'll see an abundance
of them.
Chances are, that's there to protect against some viruses which affect
OutBreak (uh, I mean LookOut, no, OutLook, that's it) and OutBreak Express.
I may be overly paranoid; I use the following string of
potentially "active" extensions to block:
(bat|chm|com|cpl|dll|exe|hlp|hta|jse?|key|lnk|ocx|pif|reg|scr|sh[bs]|vb[se]?|ws[fhe])
some others you're missing:
as[xp]
ba[st]
c(lass|md|om)
j(ava|se?|sp|tmpl)
s(cr|ys)
ws[cfh]
What type of executable is sh[bs]? What is wse (wise installer script -
that's source, isn't it?) ?
There's a nice, straightforward attachment filter at:
<http://www.johncon.com/john/QuarantineAttachments/>
I use a filter excerpted from that for my systemwide (/etc/procmailrc)
virus filter.
One other question: in developing my more complex [using
several variables] virus program test, I ran across problems with
the double quote and I note that you use it "naked" above.
Perhaps you were using the doublequote in a shelled program, such as grep
or sed?
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail