On Fri, May 30, 2003 at 09:21:37PM -0700, procmail(_at_)deliberate(_dot_)net
wrote:
I just got several extremely nasty looking emails all of
which just now snuck by my otherwise 100% accurate attachment
filters.
Not sure why they made it past the old virus checker that Phillip
Guenther posted four or five years ago. I use a revised version
of it to this day, as one of my only two virus recipes. It caught
your sample fine in my test harness. I have yet to see a virus get
by both the virus recipes. Here's the one in question, so you
can stop reinventing the wheel:
:0 # 030403 () based loosely on an original from Philip Guenther
* $ $GO^0 ^Content-[^$WS]+:.*=$DQ?[^$DQ]*\.$NASTYEXT
* $ $STOP^0 ! CTYPE ?? ^^multipart
* $ B ?? $GO^0 ^Content-[^$WS]+:.*($[$WS].*)*=[$WS]*($[$WS]+)*$DQ?\
[^$DQ]*\.$NASTYEXT
{ RX = "${RX:+$RX, }VIR_01" }
$GO is an oversaturated "infinity" of 9876543210. $STOP is its negative.
$CTYPE contains the Content-Type: header, which I save early on in my rc.
$DQ is a var containing only a double-quotation mark (my editor otherwise
does ugly things if I view them raw, is why). $WS is whitespace -- a
space and a tb. $NASTYEXT is currently this for me:
NASTYEXT = (hta|pif|scr|shs|vb[se]|ws[fh]|(doc|txt|xls)\\.)
Suggest you add exe and bat and a few more things that I left off
of mine on purpose. Anyway, the recipe caught your sample. Here
is my (non-verbose, but highly customized) log output from my
test harness.
11:45am [~/Mail] 270[1]> rctest testvir
>>>>> START LOG FOR NEW MESSAGE [LOGFILE: 030531] <<<<<
: We're exiting Section ENV
: We're entering Section DO_ME_FIRST
>> HOST is munged5.munged.com <<
: We're exiting Section DO_ME_FIRST
: We're entering Section MY_DOMAINS
===> DOM is >munged.com<
: We're exiting Section MY_DOMAINS
: We're entering Section HEADERS
===> FROM is >Mail Delivery Subsystem
<MAILER-DAEMON(_at_)yahoo(_dot_)com><
===> LOCALPART is >MAILER-DAEMON<
===> SUBJECT is >Mail Delivery Error [jgKFiTkayUraLHgG]<
===> TO is >Don <don(_at_)EXAMPLE(_dot_)COM><
===> CC is not present
===> MSGID is ><417DB4175D6K7801(_at_)yahoo(_dot_)com><
===> DH is >MISSING!<
===> FOGGYCLIENT is ><
===> CTYPE is >multipart/mixed<
: We're exiting Section HEADERS
: We're entering Section VIRUS
> Recipe-ID: VIR_01 <
From MAILER-DAEMON(_at_)yahoo(_dot_)com Sat May 31 02:14:53 2003
Subject: Mail Delivery Error [jgKFiTkayUraLHgG]
Folder:
Hope that helps.
Dallman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail