At 11:47 2003-05-31 +0200, Dallman Ross did say:
On Fri, May 30, 2003 at 09:21:37PM -0700, procmail(_at_)deliberate(_dot_)net
wrote:
>
> I just got several extremely nasty looking emails all of
> which just now snuck by my otherwise 100% accurate attachment
> filters.
Not sure why they made it past the old virus checker that Phillip
Guenther posted four or five years ago. I use a revised version
FTR, my modified version of what you can find at
<http://www.johncon.com/john/QuarantineAttachments/>
caught your message to the procmail list and quarantined it just
fine. Here's the pertinent section of the log:
procmail: Score: -3 -3 ""
procmail: Score: 1 -2 "^Content-Type:[ ]*multipart/"
procmail: Score: 4 2
"name[ ]*($[ ]+)*=[ ]*($[
]+)*"?.*\.(as[xp]|ba[st]|c(lass|md|om|hm|pl)|dll|exe|h(lp|ta)|ini|j(ava|se?|sp|tmpl)|key|lnk|ocx|p(atch|if)|s(cr|ys)|vb[aes]?|ws[ecfh])(\..*)?"?[
]*($[ ]+)*$"
procmail: Score: 0 2
"begin[ ]*($[ ]+)*[0-9]+[ ]*($[
]+)*.*\.(as[xp]|ba[st]|c(lass|md|om|hm|pl)|dll|exe|h(lp|ta)|ini|j(ava|se?|sp|tmpl)|key|lnk|ocx|p(atch|if)|s(cr|ys)|vb[aes]?|ws[ecfh])(\..*)?[
]*($[ ]+)*$"
My modifications chiefly consist of a bounce wrapper, which discards the
body and passed the original headers along in the body of a new
notification message.
I deal with viruses via a file INCLUDERC'd from /etc/procmailrc, so the
action is global for all of my users (though I've got measures to permit
selective participation).
In the future, if you're going to forward a snippet for discussion, it
might make sense to deliberatley smack the filename extension (and of
course, to not have the actual encoded attachment, but that wasn't an issue
here), and simply note that you've smacked it.
Note: I don't consider the action of the virus filter incorrect - although
your message itself did not contain the full virus, an increasing number of
MIME messages fail to have complete MIME encapsulation, and yet some (read:
MS OutBreak) MUAs will still interpret the content, so you're better off
playing it safe than assuming that parseable MIME chunks must have a
content separator matching the one in the headers.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail