On Friday Aug 22 2003 at 02:48 Canada/Mountain Ruud H.G. van Tol wrote:
Frank Nørvig skribis:
* ^Content-Disposition: attachment;
*filename=.*\.(scr|lnk|vbs|swf|shs|com|pif|bat|src|wfs|vbe|wsh|hta)
It works quite well on attachments like "virus.com" but it also
catches
files like "www.virusfree.com.document.zip"
I use something like:
:0
* ^Content-Type: multipart/(alternative|mixed)
* B ?? ^Content-Type: \
application.*;.*($.*)?\
name=.*\.(scr|com|bat|pif|lnk|exe)(")?$
IN.virus/
More 'special' extensions:
ade adp asd bas bat bin chm cil cmd com cpl crt dll doc dot drv
eml exe hlp hta inf ini ins isp jse lnk mdb mde msc msi msp mst
net nws ocx pcd pdf pif pps pwl reg rm scr sct shb shm shs src
swf sys vb vbe vxd wfs wsc wsh xls xlt
ade adp bas bat chm cmd com cpl crt dll exe hlp hta inf ins isp
js jse lnk mdb mde mdt mdw msc msi msp mst nws ops pcd pif prf
reg scf scr sct shb shs shm swf vbe vbs vbx vxd wsc wsf wsh
is the list I use, although I am now blocking them at the SMTP level
and not with procmail
The important one seems to be pif, I am temp-blacklisting IPs that send
me .pif files.
--
This above all to thine own self be true
And it must follow as the night the day,
Thou canst not then be false to any man.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail