Dallman, et al.:
On Wed, Mar 24, 2004 at 03:45:55PM -0600, scott.list wrote:
I have this recipe for getting rid of the bad zips:
:0 B
* > 3000
* < 40000
* ^.*name=.*\.zip
/home/mail/virus
The above comes affter Dallmans snagger.
It was working fine until the last round of virus I presume
morphed.
Zips started making it through but I noticed all that made it were
to
one virtual domain of mine. The domain is a virtual host on my
mailserver box. Is there anything I can do to make that mail get
snagged by the above, too? A sample header of one that passed is
below:
Thanks very much for the time to help.
Scott
Offhand I see no reason for the failure, other than if the size is
out of bounds. Remember that
* < 40000
includes the headers, even when the recipe flags specify "B" only.
If
there are lots of headers and the file was already near the upper
end
of
the range, the headers could be throwing it over. What is the size
of
the message with headers? And what do your verbose logs say?
Verbose logs just said no match when one of these passed through:
<snip>
procmail: Match on "> 3000"
procmail: Match on "< 40000"
procmail: No match on "name=*\.zip"
<snip>
You could do:
* B ?? < 40000
Better not. I just barely understand the "normal" more verbose
commands <big smile>.
But two notes: First,
* ^.*name=whatever
is needless makework, in that we are achoring left, then saying "but
go as far to the right as we need to go." So just drop the anchor:
* name=whatever
Done. I changed it to:
# Doom, etc. viruses (this chunks all messages this size and zip
attachment)
:0 B
* > 3000
* < 40000
* name=*\.zip
/home/mail/virus
With VSnag 1.6.1 you could look for $EXT=zip instead.
* EXT ?? ^^zip^^
I used the size thing instead of VSnag zip captures because when this
was working (well) I has sending to /dev/null. That is after I saw
that 99% of the messages were viruses. I've advised users and do have
one perticular incoming regular message that's zipped I whitelist
prior to VSnag. At least with the size recipe I don't toss ALL of the
zips, just a subset of them.
In about a day, maybe two, you'll be able to download VSnag ver.
2.0,
which will handle this more elegantly.
Will do, I was already using 1.61
I dodn't get any today, maybe it was a fluke. I doubt it. :-(
Thanks again to you, Nancy and all for the help as always,
Scott
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail