Hi all,
I've been running a procmail rule for a long time now that upon finding
certain attachments sends the email through demime and thus removes the
attachment and any other imbeded coding. Of late however the filter has been
missing on newer MS "security patch" emails and I can't figure out why.
Here is the filter part:
=============
# extentions that we want to never see come through
:0
*^Content-type: (multipart/mixed|multipart/alternative|application)
{
:0 HB
*^Content-Disposition: (attachment|inline);
*filename=".*\.(ad[ep]|asd|ba[st]|c[ho]m|cmd|cpl|crt|dbx|dll|exe|hlp|hta|in[
fs]|isp|itms|jar|js|js[fe]|lnk|ocx|md[etw]|ms[cipt]|nws|ocx|ops|pcd|pi|pif|p
rf|reg|scf|scr|sct|sh[bms]|swf|uue|vb|vb[esx]|vxd|wab|ws[cfh])"
{
==============
The only clue I have is that the emails that are passing have the following
in the body:
==============
Content-Transfer-Encoding: base64
Content-Disposition: attachment
.exe %s\%s .zip ; name=" msdownload compressed
Content-Type: application/x- --
-- >
===============
The above is directly from the email contents (from the Outlook .eml file)
but I'm not sure how accurate it is. When I forward the message to my self
the filter works perfect and I get the following: "[demime 1.01e removed an
attachment of type application/x-msdownload which had a name of
upgrade1327.exe]". So the filter does seem to work but I'm not sure why it
won't on the first pass.
Suggestions and any help would be appriciated.
Thanks.
Paul Pettit
CTO and IS Manager
Consistent Computer Bargains Inc.
I've heard it said that the proof of lunacy is when you repeat the same
steps expecting different results. I say it's proof that you're a Microsoft
user. - comment by deshi777 on experts-exchange.com
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail