At 21:37 2003-06-28 -0400, Dragoncrest did say:
you could pull them out and put them in a binaries directory, forwarding
along only the text portion of the message.
Actually, that's kinda what I had in mind.
Kinda, 'cept your not forwarding the stripped message to the orignal
recipient, but firing it off back at the person you BELIEVE sent the
message, which 9 out of 10 times isn't the infected user that sent the message.
Date: Sat, 28 Jun 2003 21:05:30 -0400
From: mylocaladdy(_at_)myserver(_dot_)com (the address that received the bad or
illegal/infected attachment)
To: bouncee(_at_)isp(_dot_)com (person who's address appears as the sendee of said
bad/illegal/infected attachment)
Subject: Quarentined File Alert
[
You or someone at this address sent me an email with an
attachment on it with the following name: somefile.exe
[snip]
EXACTLY what I'm saying is a really bad idea. Many of the current
generation of spams are coming FROM: an address which was harvested from
the saved mail of the user who actually has the infection. So, some
well-meaning individual goes and sends a pile of these announcements out in
response to inbound viruses, and all you succeed in doing is annoying the
living fsck out of the person WHO DIDN'T MAIL YOUR USER, AND DOESN'T HAVE A
VIRUS IN THE FIRST PLACE.
Oh, and your proposed text doesn't include the *HEADERS* of the message in
question, which is one of the many beefs I've got with the damn
commercial-based systems which already take this approach - I can't even
send them the headers back and say: HELLO, where the fsck do you even see
MY MAILSERVER in these headers?
These are *VERY* annoying to list administrators, whose
"owner-listname(_at_)listdomain(_dot_)tld" addresses appear as the envelope sender of
a great number of messages out there. The listadmin gets to suffer because
some user out there - who may not even be a CURRENT subscriber, has a virus
that it culling the listowner address from their old saved email, and
that's resuling in the listadmin getting hammered with autoreply crap.
DON'T DO IT. Go ahead and trim to the headers only and forward that to the
original intended recipient so that if THEY want to follow up, they
can. Then, if they're sending emails to the wrong people, it's them doing
it, and really quickly, they'll learn that it's a bad idea, because the
available addresses in the message headers are all forged.
Take a look into how "Klez" works, and you'll see that the envelope address
isn't even the same as the From: address - that's so a human reply will be
directed to one hapless soul and delivery BOUNCES (often complete with the
virus attachment still intact) will be bounced by the postmaster to another
hapless soul.
If you wanted to fire off "hey, you're a butthead for sending me Word DOC
picture attachment to our HR department when the advert said plain text or
PDF only" that'd be different. For that, you can find autoreply scripts in
the list archives.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail