Re: Procmail question-
On Mon, May 08, 2000 at 02:39:47PM -0800, Adam Shand wrote:
>
> > Well there is a problem with this rule, it searches the entire email for
> > VBS. All i want it to search for is the attachment of a file name with
> > the extension of .vbs Okay can this be done? Im sure it can, just i can
> > not find any info on how to make it do this. Can someone purdy please
> > help me :)
>
> procmail doesn't understand mime so there is no way to tell it "delete
> attachments which end with .vbs". however what you can do is use a rule
> like the below one. we've been using this rule since the virus came out and
> it's been working pretty well (caught almost 500 copies of it).
true. procmail ain't ideal for this, but it's the best tool around
without loading perl on every MIME'd mail.
> :0
> * < 50000
> {
>
> :0 B:
> * .*(name=.*\.vbs|spyder@imail\.com).*
> /share/etc/ILOVEYOU
> }
I find this one is a bit safer (though slightly more complex) -- note
that your filter will match your mail as well as this one.
:0
*^Content-type: (multipart/mixed|application/octet-stream)
{
:0 B
*^Content-Disposition: (attachment|inline);
*filename=".*\.(vbs|wsf)"
{
:0 fbw
|/usr/bin/sed -e 's/\([nN][aA][mM][eE]=".*\.[vV][bB][sS]\)"/\1.txt"/' \
-e 's/\([nN][aA][mM][eE]=".*\.[wW][sS][fF]\)"/\1.txt"/'
}
}
This will rename 'foo.vbs' to 'foo.vbs.txt', which breaks the
auto-execution. It's relatively lightweight, so you can leave it in
(sadly, I still pick up a couple of happy99's a day still).
--
Brian Moore | Of course vi is God's editor.
Sysadmin, C/Perl Hacker | If He used Emacs, He'd still be waiting
Usenet Vandal | for it to load on the seventh day.
Netscum, Bane of Elves.
Reply to: