On Fri, 19 Sep 2003 09:35:48 -0700, Gary Funck <gary(_at_)intrepid(_dot_)com>
wrote:
=> I tried this out, and it doesn't seem to catch the latest M$FT update hoax.
The recipe below works great for us. This list is a terrific resource
in large part due to the group of regular posters here. My thanks to everyone
here who has contributed to the list and [indrectly/directly] to this recipe:
DQ = '"'
WS = "[ ]*"
NONSPACETAB = "[^ ]"
OR = "2147483647^0"
STOP = "-2147483647^0"
# note: CTYPE is content-type header contents captured earlier
VIRUSPGM = '[^"]+\.\
(asd|bat|cpl|chm|com|dbx|dll|dot|eml|exe|hlp|hta|jse?|key|lnk|ocx|\
mbx|mmf|nch|ocs|pif|reg|scr|sh[bs]|tbb|vb[se]?|ws[fhe]|{[-0-9a-f]+})'
TEMP = "^Content-${NONSPACETAB}+:${WS}[^;]+;(\>)*(file)?name${WS}=${WS}${DQ}?"
:0
* > 5000
* $ $OR ${TEMP}\/${VIRUSPGM}
* $ $STOP ! CTYPE ?? multipart
* $ B ?? $OR ${TEMP}\/${VIRUSPGM}
{ BLOCK_THIS="Virus trap: ${MATCH}" }
HTH,
- Don
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail