On Wed, 28 Jul 2004 17:54:24 -0600, Justin Gombos
<mindfuq(_at_)zianet(_dot_)com> wrote:
Looks good to me, but if it fails, my first suspicion would be the
conditional "* B ?? name=.*\.zip", because an attached file is not
necessarily going be following well formed MIME standards.
I would expect malicious payloads to have filenames like:
"click_here.zip .exe"
and I don't believe they necessarily need to have the "name=" string
either.
the post in question had exactly this:
------=_NextPart_000_0001_FF3A66FA.F77494A2
Content-Type: application/octet-stream;
name="kreme(_at_)kreme(_dot_)com(_dot_)zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="kreme(_at_)kreme(_dot_)com(_dot_)zip"
looking at the raw source of the message. It SHOULD have matched, right?
I suppose I will have to extract that email from the mbox and start
throwing it at /etc/procmailrc manually...
--
gkreme at gmail or kreme at kreme or syth at mac
:: Don't get saucy with me, Bernaise ::
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail