Re: Filtering MS-Office Attachments

Thomas Goebel writes:
> i want to add a filter which sends an auto-reply if there are
> MS-Office files attached to the mail ...
    
###############################################################################
    #
    # Folded whitespace, (the characters between the block braces are a
    # tab character, hex 09, followed by a space character, hex 20):
    #
    ws='[        ]*($[   ]+)*'
    #
    
###############################################################################
    #
    # Double quote:
    #
    dq='"'
    #
    # End of Line, (used in conditions with variable substitution):
    #
    eol='$'
    #
    
###############################################################################
    #
    # List of Microsoft file name extensions that are potentially
    # malicious executables:
    #
    
ext='(a(d[ep]|r[cj]|s[dmxp]|u|vi)|b(a[st]|mp|z[0-9]?)|c(a(b|n)|hm|il|lass|md|om|(p[lp]|\+\+)?|rt|sv)|\
          
d(at|e?b|ll|o[ct])|e(ml|ps?|xe)|g(if|z?)|h(lp|t(a|ml?)|(pp|\+\+)?)|i(n[cfis]|sp)|\
          
j(ava|pe?g|se?|sp|tmpl)|kbf|l(ha|nk|og|yx)|m(d[abew]|p(e?g|[32])|s[cipt])|ocx|\
          
p(a(tch|s)|c[dsx]|df|h(p[0-9]?|tml?)|if|[lm?]|n[gm]|[po][st]|p?s)|r(a[mr]|eg|pm|tf)|\
          
s(c[rt]|h([bs]|tml?)|lp|ql|ys)?|t(ar|ex|gz|iff?|xt)|u(pd|rl|x)|vb[es]?|\
          w(av|m[szd]|p(d|[0-9]?)|s[cfh])|x(al|[pb]m|l[stw])|z(ip|oo))'
    #
    
###############################################################################
    #
    # Check message headers:
    #
    :0
    * 2147483647^0 $ 
^content-type:${ws}(multipart/(mixed|alternative|application|signed|encrypted))|(application/)
    * 2147483647^0 $ 
^content-disposition:${ws}attachment;${ws}.*name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}${eol}
    * 2147483647^0 $ ^content-transfer-encoding:${ws}base64
    { MALICIOUS=true }
    #
    # If that fails, check message body:
    #
    :0 BE
    * -3^0
    * 4^0 $ name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}${eol}
    * 4^0 $ begin${ws}[0-9]+${ws}.*\.${ext}(\..*)?${ws}${eol}
    * 4^0 $ ^content-type:${ws}application/
    * 4^0 $ ^content-transfer-encoding:${ws}base64
    * 2^0 [<](!doctype|[sp]?h(tml|ead)|title|body)
    * 2^0 
[<](app|bgsound|div|embed|form|i?l(ayer|ink)|img|i?frame(set)?|meta|object|s(cript|tyle))
    * 2^0 =3d
    { MALICIOUS=true }
    #
    
###############################################################################

works for me.    

    John

-- 

John Conover, conover(_at_)rahul(_dot_)net, http://www.johncon.com/
____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail