I've developed and successfully used an "active attachment" procmail
filter based on several cycles thru this list quite some time back. I think
it's similar to several other filters I've seen others develop and it's
certainly based on other's ideas from here. This week it captured something
it shouldn't and I need a bit of help fine-tuning the condition so that it
doesn't do that again. <damn!>.
Here's [slightly edited] what tripped it in the message body after
determining that it was a multi-part message:
------=_NextPart_000_0007_01C4166D.E73EB7B0
Content-Type: text/x-vcard;
name="H. Robert Yoyo (someuser(_at_)example(_dot_)com).vcf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="H. Robert Yoyo (someuser(_at_)example(_dot_)com).vcf"
which matched:
VIRUSPGM = '[^"]+\.\
(asd|bat|cpl|chm|com|cmd|dbx|dll|dot|eml|exe|hlp|hta|jse?|key|lnk|ocx|\
mbx|mmf|nch|ocs|pif|reg|scr|sh[bs]|tbb|vb[se]?|ws[fhe]|{[-0-9a-f]+})'
TEMP = "^Content-${NONSPACETAB}+:${WS}[^;]+;(\>)*(file)?name${WS}=${WS}${DQ}?"
:0
* BLOCK_THIS ?? ^^^^
* $ $OR ${TEMP}\/${VIRUSPGM}
* $ $STOP ! CTYPE ?? (attachment|multipart)
* $ B ?? $OR ${TEMP}\/${VIRUSPGM}
{ BLOCK_THIS="Active attachment trap: ${MATCH}" }
MATCH was set to "H. Robert Yoyo (someuser(_at_)example(_dot_)com"
I can't stop the "creative" users, so I need to figure out a way to
fine-tune my filter to more closely check the trailing part of the Content
string. It feels like it ought to be easy, like checking for the EOL, but
somehow I'm a bit unsure about that. Help?
TIA,
- Don
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail