On Sun, Jul 22, 2007 at 02:02:17PM -0400, fleet(_at_)teachout(_dot_)org wrote:
Look at the first five (or so) characters in base64 encoding. Encoding
for a PDF file seems to start always with 'JVBER'. One can also identify
GIF, JPG, PNG, etc. the same way.
So something like:
:0B
* ^JVBER
PDF-junk
Yes, but I find that unnecessary. Look above that:
--------------020204060805040202060003
Content-Type: application/pdf;
name="Agreement.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="Agreement.pdf"
JVBERi0xLjEKJeLjz9MKMSAwIG9iaiAKPDwKL1BhZ2VzIDIgMCBSCi9UeXBlIC9DYXRhbG9nCj4+
Easier to just kill based on "name=.*\.pdf".
Also, you could ensure that the file even has an attachment
before you bother grepping the body. Saves a lot of overhead
that way.
:0:
* 9876543210 ^0 ^Content-Type:.*(attachment|multipart)
* 9876543210 ^0 ^FROM_MAILER
* B ?? ^Content-.*^[ ]+filename=".*[.]pdf"
PDF-junk
In Virus Snaggers(tm), I simply added PDF to the list of
$NASTY_EXT in vsnag.myvars, and it was over. Vsnag runs
after my whitelists.
Dallman
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail