* Google Kreme <gkreme(_at_)gmail(_dot_)com> [2004-07-28 15:39]:
I added this to my /etc/procmailrc a few weeks ago:
:0 fw
* ^FROM_DAEMON
* > 20480
| formail-I"Subject: [WARNING, large daemon bounce] $SUBJECT"
:0 Efw
* > 4000
* < 80000
* B ?? name=.*\.zip
| formail -I"Subject: [WARNING: possible zip virus file] $SUBJECT"
However, I am still getting 20-40KB zip viruses without any warning
getting written to the subject. I have recently added VERBOSE tags
around this pair of recipes, but haven't, of course, gotten one of
these viruses yet.
Looks good to me, but if it fails, my first suspicion would be the
conditional "* B ?? name=.*\.zip", because an attached file is not
necessarily going be following well formed MIME standards.
I would expect malicious payloads to have filenames like:
"click_here.zip .exe"
and I don't believe they necessarily need to have the "name=" string
either.
I have an autoresponder for people that email me Micro$oft word docs,
and had to use fuzzy logic to detect them:
:0 c: captureorigmsg.lock
* -230^0
* 10^0 B ?? Content-Disposition: attachment
* 10^0 B ?? (file)?name=.*\.doc
* 10^0 B ?? >15000
* 30^0 B ?? Content-Type: application/msword
*$ 70^0 ^TO_.*\/$MYSELF
*$ 70^0 !^X-Loop: $MATCH
* 70^0 !^FROM_DAEMON
| (echo "---Original Message---"; \
formail -X "From:" \
-X "To:" \
-X "Subject:"; \
echo) > $ORIG_MSG
That's only the first portion of my autoresponder (which is not
polished), but it should give you an idea of ways to detect
attachments.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail