[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Procmail question-

On Mon, May 08, 2000 at 02:39:47PM -0800, Adam Shand wrote:
> > Well there is a problem with this rule, it searches the entire email for
> > VBS.  All i want it to search for is the attachment of a file name with
> > the extension of .vbs Okay can this be done?  Im sure it can, just i can
> > not find any info on how to make it do this.  Can someone purdy please
> > help me :)
> procmail doesn't understand mime so there is no way to tell it "delete
> attachments which end with .vbs".  however what you can do is use a rule
> like the below one.  we've been using this rule since the virus came out and
> it's been working pretty well (caught almost 500 copies of it).

true.  procmail ain't ideal for this, but it's the best tool around
without loading perl on every MIME'd mail.

> :0
> * < 50000
> {
>         :0 B:
>         * .*(name=.*\.vbs|spyder@imail\.com).*
>         /share/etc/ILOVEYOU
> }

I find this one is a bit safer (though slightly more complex) -- note
that your filter will match your mail as well as this one.

*^Content-type: (multipart/mixed|application/octet-stream)
    :0 B
    *^Content-Disposition: (attachment|inline);
       :0 fbw
       |/usr/bin/sed -e 's/\([nN][aA][mM][eE]=".*\.[vV][bB][sS]\)"/\1.txt"/' \
                     -e 's/\([nN][aA][mM][eE]=".*\.[wW][sS][fF]\)"/\1.txt"/'


This will rename 'foo.vbs' to 'foo.vbs.txt', which breaks the
auto-execution.  It's relatively lightweight, so you can leave it in
(sadly, I still pick up a couple of happy99's a day still).

Brian Moore                       | Of course vi is God's editor.
      Sysadmin, C/Perl Hacker     | If He used Emacs, He'd still be waiting
      Usenet Vandal               |  for it to load on the seventh day.
      Netscum, Bane of Elves.

Reply to: