This is a brute-force rule that mostly works:
#
# Virus scanning (of sorts)
#
# Protection from certain filetypes
#
:0:
* ! ^List-Id:.*procmail
* 9876543210^0
^Content-[-a-z0-9_]+:.*="?[^"]*\.(exe|vb[se]|ws[fh]|hta|shs|scr|pif)
* 9876543210^0 B ??
ontent-[-a-z0-9_]+:.*($[ ].*)*="?[^"]*\.(exe|vb[se]|ws[fh]|h$|pif|scr)
virus-trap
As you can see, it is a hack because it can't determine if the use of the line
with Content- in the body is in fact an attachement delimiter or simply
something talking about such attachments (for example, this message). Hence the
need to
filter out discussion lists that often talk about fitering
attachments. Also, throwing out all .exe's is a little dangerous when the boss
sends you the latest contract for review and it is packaged as a
self-extracting .zip file. Hopefully, that practice is no longer in common use.
-----Original Message-----
From: procmail-bounces(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
[mailto:procmail-bounces(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE]On Behalf Of
Luis Daniel
Lucio Quiroz
Sent: Saturday, September 20, 2003 8:38 AM
To: procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
Subject: Blocking some attachments
Because there are many attachments that are dangerous, I 'm planing to
block all email-worms that has a .PIF attachment
I was thinking on a rulset like this:
:0
* ^Content-Type: multipart/alternative;
* .*\.pif
/dev/null
My doubts. "." characters means any character so if I realy whant
the dot character, may I escape it?
When any mail has attachemts, it must contain Content-Type:
multipart/alternative; string, or not?
Later, any finalme *.pif should be blocked.
I'll apreciate any contributions.
LD.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail