Procmail filter question

I want to filter out messages from a worm. The messages are of the
form:

Subject: re[12]

Perhaps you recognize it?

I am unsure whether 2 digits are always used.

I do not want to filter out anything that does not have that form.

What can I use for a filter?

Also, I've tried to filter on the contents of attachments, but those
seem to be ignored. Is there a way to force procmail to include
attachments?

Thanks!

Re: Procmail filter question

On comp.mail.misc, in
<1116370884.247695.142780@f14g2000cwb.googlegroups.com>,
"nooneinparticular314159@yahoo.com" wrote:

> I want to filter out messages from a worm. The messages are of
> the form:
>
> Subject: re[12]
>
> Perhaps you recognize it?
>
> I am unsure whether 2 digits are always used.
>
> I do not want to filter out anything that does not have that
> form.

Filtering on Subject lines is not a good idea. (Except if you
are looking for a password, or something else you specifically
asked for). It's just impossible to predict what some crazy
friend of yours might put on the Subject line...

But if you REALLY want to:

:0
* ^Subject: re\[[0-9][0-9]\]
/dev/null

>
> What can I use for a filter?
>
> Also, I've tried to filter on the contents of attachments, but
> those seem to be ignored.

:0 B

tells procmail to egrep the body.

The default behavior is to just egrep the headers.

> Is there a way to force procmail to
> include attachments?
>
> Thanks!
>

Read the fucking manpages! Procmail's are excellent.

man procmail procmailrc procmailex procmailsc

See this webpage too:

http://www.uwasa.fi/~ts/info /proctips.html

Then search the Usenet Archives for this group at:

http://groups.google.com/advanced_group_search

for tons of procmail FAQs and the like.

AC


--
alanconnor AT earthlink DOT net
Use your real return address or I'll never know you
even tried to mail me. http://tinyurl.com/2t5kp

Re: Procmail filter question

* nooneinparticular314159@yahoo.com wrote:
> I want to filter out messages from a worm. The messages are of the
> form:
>
> Subject: re[12]
>
> Perhaps you recognize it?
>
> I am unsure whether 2 digits are always used.

I have plenty of these in my logs. Alan has already posted on a recipe
to detect. Sometimes the 're' is of the form 'Re' and 'RE', sometimes
there is a space between the 're' and the square braces, sometimes there
are colons, and the numbers vary - I have only seen one or two digit
forms. These are the only variations I have noticed.

I use spamassassin which picks these up for me, so I don't have any
special recipes for them myself. You might consider that.

> I do not want to filter out anything that does not have that form.

What about if one of your friends sends you a message of the same form?

> What can I use for a filter?
>
> Also, I've tried to filter on the contents of attachments, but those
> seem to be ignored. Is there a way to force procmail to include
> attachments?

Can't help you there, sorry. I don't filter on attachments other than
nuking any that are of the usual suspect types (.exe, .com etc).

--
T R O Y P I G G I N S
e : usenet@piggo.com

Re: Procmail filter question

nooneinparticular314159@yahoo.com :
> I want to filter out messages from a worm. The messages are of the
> form:
>
> Subject: re[12]

:0
* ^Subject:.*re\[[-09]*\]$
/dev/null


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.ietf.org/rfc/rfc1855.txt
Spammers! http://www.spots.ab.ca/~keeling/autospam.html

Re: Procmail filter question

s. keeling wrote:

> nooneinparticular314159@yahoo.com :
>
>> I want to filter out messages from a worm. The messages are of the
>> form:
>>
>> Subject: re[12]
>
>
> :0
> * ^Subject:.*re\[[-09]*\]$
> /dev/null
>
>

Just a small correction since I believe the above to be a typo,

The recipe should be:
:0
* ^Subject: re\[[0-9]+\]$
/dev/null

it might be better not to preceded the re with the match on anything
which is how the above is written.

AK