Re: Question about filtering by attachment.

At 22:57 2003-08-01 -0400, Dragoncrest did say:
>         How do you get procmail to auto-send a reply about a particular 
> blocked email based on the attachment?  So if the file received has for 
> example a zip extension, I want it to send a reply email saying something 
> like "Sorry, but this type of file is no longer permitted due to the 
> spamming of viruses as of late.
Which is, uh, rather ineffective if the files which _shouldn't_ be sent are 
sent by bogus senders who won't actually be the poor sod at the receiving 
end of the message you're sending in reply.  The legitimate (non-viral) 
files are sent From: legitimate senders, and are the people who will be 
inconvenienced by you telling them that they have to switch to another 
archiving tool in order to send you files - until THAT archival tool 
becomes the target of a virus, then they'll have to hand-courier the data 
to you or something else.
I'd highly caution against sending a reply for the new W32/Mimail-A virus 
and it's ilk.  For that matter, nixxing ZIP files is a bad idea IMO - it 
takes a special breed of total fscking MORON to actually open an attached 
zipfile and then *EXECUTE* the included files.  The rest of the world 
understands that you have to go out of your way to actually become INFECTED 
with a virus when it's in a ZIP - your email program doesn't automatically 
RUN them, and your archiving tool shouldn't automatically be running 
anything when it extracts them, so anyone so totally fscking STUPID enough 
to get infected from a ZIP is going to manage to get infected some other 
way, like downloading dialer programs claiming to be "free online casinos" 
and other nonsense.
Don't cripple the communication medium just to cater to making the world a 
safer place for morons.
>   Please try using RAR instead which is available at winrar.com" and have 
> it be sent out automatically.
Hah.  You think virus files can't be put into RAR files, or ZOO, or .GZ, or 
whatever?  Think again.  I've seen viruses and trojans transported in RAR 
files.  Genocide, Hookdump...
The bottom line is that the MORON who gets infected by actually invoking a 
program which was sent to them really needs to have their skillset 
re-evaluated, and if they're not competent enough to use a computer, 
perhaps they should be assigned to a job which doesn't involve 
one.  Greeting people with "would you like fries with that" might be about 
their level - at least they can't run arbitrary code sent to them by 
unknown persons on the cash register.
Perhaps if a few more people started using tools such as PGP to sign 
official messages (I'm not a big proponent of digitally signing _all_ 
correspondance though - as some people on this list do, which makes their 
posts come across as _attachments_), then messages with attachments would 
be easier to confirm as having been actually sent by their claimed author.
> But if it fails, instead of me being flooded with mailer daemon notices, I 
> want those particular ones to go into my viruses folder.
This particular one can easily be dealt with something such as:

        :0
        * ^Subject:[    ]*your account[         ]+
        * ^From:.*\<admin@
        * B ?? ^Please read attachment for details\.
        * B ?? ^Content-Type: application/x-zip-compressed
        {
                VIRUSNAME="W32/Mimail-A"
        }

Thus far, all the ones I've seen have had the From: identify an admin@ 
address - if this isn't the case, modify as appropriate.  I've seen a 
number of other header characteristics (X-Mailer and X-Scanned-By) as well, 
but don't know if they're consistent or not.
BTW - The multitudes of copies of this trojan which I received originated 
through an _ENRON_ (yup, the corporation of thieves) system.  They were 
also deliberatley sent to a backup MX, making it difficult to simply 
arbitrarily block the sending host.  I was receiving these as a result of 
mailing lists hosted at another site, but on my own systems, there's the 
nifty SMTP AUTH requirement.
Running the messages through my spam filter also characterized them as spam 
(deliberate use of backup MX, excess of embedded space in subject, trailing 
code blurb, mime multipart/mixed, and subject scoring all added up to spam).
So, before you make the rash decision to ban ZIP as a viral carrier, 
consider taking steps to identify this virus for what it is and handle it 
that way.
---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail