procmail
[Top] [All Lists]

Re: Virus filter

2003-08-22 03:47:19

On Friday Aug 22 2003 at 02:48 Canada/Mountain Ruud H.G. van Tol wrote:

Frank Nørvig skribis:

    *  ^Content-Disposition: attachment;
*filename=.*\.(scr|lnk|vbs|swf|shs|com|pif|bat|src|wfs|vbe|wsh|hta)

It works quite well on attachments like "virus.com" but it also catches
files like "www.virusfree.com.document.zip"

I use something like:

  :0
  * ^Content-Type: multipart/(alternative|mixed)
  * B ?? ^Content-Type: \
         application.*;.*($.*)?\
         name=.*\.(scr|com|bat|pif|lnk|exe)(")?$
  IN.virus/


More 'special' extensions:

ade adp asd bas bat bin chm cil cmd com cpl crt dll doc dot drv
eml exe hlp hta inf ini ins isp jse lnk mdb mde msc msi msp mst
net nws ocx pcd pdf pif pps pwl reg rm  scr sct shb shm shs src
swf sys vb  vbe vxd wfs wsc wsh xls xlt

ade adp bas bat chm cmd com cpl crt dll exe hlp hta inf ins isp
 js jse lnk mdb mde mdt mdw msc msi msp mst nws ops pcd pif prf
reg scf scr sct shb shs shm swf vbe vbs vbx vxd wsc wsf wsh

is the list I use, although I am now blocking them at the SMTP level and not with procmail

The important one seems to be pif, I am temp-blacklisting IPs that send me .pif files.

--
This above all to thine own self be true
And it must follow as the night the day,
Thou canst not then be false to any man.



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail


<Prev in Thread] Current Thread [Next in Thread>