Re: Question about filtering by attachment.
2003-08-01 23:38:17
At 22:57 2003-08-01 -0400, Dragoncrest did say:
How do you get procmail to auto-send a reply about a particular
blocked email based on the attachment? So if the file received has for
example a zip extension, I want it to send a reply email saying something
like "Sorry, but this type of file is no longer permitted due to the
spamming of viruses as of late.
Which is, uh, rather ineffective if the files which _shouldn't_ be sent are
sent by bogus senders who won't actually be the poor sod at the receiving
end of the message you're sending in reply. The legitimate (non-viral)
files are sent From: legitimate senders, and are the people who will be
inconvenienced by you telling them that they have to switch to another
archiving tool in order to send you files - until THAT archival tool
becomes the target of a virus, then they'll have to hand-courier the data
to you or something else.
I'd highly caution against sending a reply for the new W32/Mimail-A virus
and it's ilk. For that matter, nixxing ZIP files is a bad idea IMO - it
takes a special breed of total fscking MORON to actually open an attached
zipfile and then *EXECUTE* the included files. The rest of the world
understands that you have to go out of your way to actually become INFECTED
with a virus when it's in a ZIP - your email program doesn't automatically
RUN them, and your archiving tool shouldn't automatically be running
anything when it extracts them, so anyone so totally fscking STUPID enough
to get infected from a ZIP is going to manage to get infected some other
way, like downloading dialer programs claiming to be "free online casinos"
and other nonsense.
Don't cripple the communication medium just to cater to making the world a
safer place for morons.
Please try using RAR instead which is available at winrar.com" and have
it be sent out automatically.
Hah. You think virus files can't be put into RAR files, or ZOO, or .GZ, or
whatever? Think again. I've seen viruses and trojans transported in RAR
files. Genocide, Hookdump...
The bottom line is that the MORON who gets infected by actually invoking a
program which was sent to them really needs to have their skillset
re-evaluated, and if they're not competent enough to use a computer,
perhaps they should be assigned to a job which doesn't involve
one. Greeting people with "would you like fries with that" might be about
their level - at least they can't run arbitrary code sent to them by
unknown persons on the cash register.
Perhaps if a few more people started using tools such as PGP to sign
official messages (I'm not a big proponent of digitally signing _all_
correspondance though - as some people on this list do, which makes their
posts come across as _attachments_), then messages with attachments would
be easier to confirm as having been actually sent by their claimed author.
But if it fails, instead of me being flooded with mailer daemon notices, I
want those particular ones to go into my viruses folder.
This particular one can easily be dealt with something such as:
:0
* ^Subject:[ ]*your account[ ]+
* ^From:.*\<admin@
* B ?? ^Please read attachment for details\.
* B ?? ^Content-Type: application/x-zip-compressed
{
VIRUSNAME="W32/Mimail-A"
}
Thus far, all the ones I've seen have had the From: identify an admin@
address - if this isn't the case, modify as appropriate. I've seen a
number of other header characteristics (X-Mailer and X-Scanned-By) as well,
but don't know if they're consistent or not.
BTW - The multitudes of copies of this trojan which I received originated
through an _ENRON_ (yup, the corporation of thieves) system. They were
also deliberatley sent to a backup MX, making it difficult to simply
arbitrarily block the sending host. I was receiving these as a result of
mailing lists hosted at another site, but on my own systems, there's the
nifty SMTP AUTH requirement.
Running the messages through my spam filter also characterized them as spam
(deliberate use of backup MX, excess of embedded space in subject, trailing
code blurb, mime multipart/mixed, and subject scoring all added up to spam).
So, before you make the rash decision to ban ZIP as a viral carrier,
consider taking steps to identify this virus for what it is and handle it
that way.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
|
|