I have started to receive e-mail containing viruses in attachments. I
would like to filter these out based on strings in the attachments
themselves, since there is very little to filter on in the message
header or body. Is there a way to do this using procmail? If so, can
you please post an example on here? I've tried this before, and found
that my filters failed.
Thanks!
nooneinparticular314159@yahoo.com wrote:
> I have started to receive e-mail containing viruses in attachments. I
> would like to filter these out based on strings in the attachments
> themselves, since there is very little to filter on in the message
> header or body. Is there a way to do this using procmail? If so, can
> you please post an example on here? I've tried this before, and found
> that my filters failed.
>
> Thanks!
Sure,
Filter out attachment with names that end in pif,scr,com,bat, exe.
The attachments are often encoded, so it might not be as useful to
filter based on a string within the attachment.
You might want to post your recipe and what you expected it to do, this
way we will be able to see and might be able to offer some suggestions.
AK
On Tue, 31 May 2005 nooneinparticular314159@yahoo.com wrote:
> I have started to receive e-mail containing viruses in attachments. I
> would like to filter these out based on strings in the attachments
> themselves, since there is very little to filter on in the message
> header or body. Is there a way to do this using procmail? If so, can
> you please post an example on here? I've tried this before, and found
> that my filters failed.
>
I've had a go at doing this automatically, like this: an email comes
along, say its a virus. It is filtered through a program and the first
suitable 500 byte "string" is stored. This and all subsequent suitable 500
byte strings are compared against the database. If a match is found, the
count stored in the database is incremented and the count returned. This
can then be tested with a procmail recipe. If there is no match, the
stored string is added to the database. A suitable string consists of 500
bytes with a limitation on the number of repeated characters, no double
end of lines and no spaces or tabs.
This will pick up things like photographs as well but I find it a useful
tool. Particulary when the count has hit 9999, you know it's a nasty.
--
Alan
( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )
> I have started to receive e-mail containing viruses in attachments. I
> would like to filter these out based on strings in the attachments
> themselves, since there is very little to filter on in the message
> header or body. Is there a way to do this using procmail? If so, can
> you please post an example on here? I've tried this before, and found
> that my filters failed.
You might want to try my renattach software, which can easily be used from
procmail to filter attachments based on file names or file extensions
http://www.pc-tools.net/unix/renattach/
In procmail it simply looks like this
# Filter mail through renattach, and wait for success exit code
:0 wf
| /path/to/renattach
--
Jem Berkes
Software design for Windows and Linux/Unix-like systems
http://www.sysdesign.ca/
> I have started to receive e-mail containing viruses in attachments. I
> would like to filter these out based on strings in the attachments
> themselves, since there is very little to filter on in the message
> header or body. Is there a way to do this using procmail? If so, can
> you please post an example on here?
I tried a few different filters, but none seemed very reliable. So, I now
reject email with attachments that come to my main account. I set up a
special address for file attachments and notify the user that they can send
the file to me at that address. So far, I have not received any spam
attachments at the new address, but I can easily change the file attachment
address at any time if that should happen.
Here's what I use:
(Change file@yourdomain.com to the address where you accept attachments)
(Change support@yourdomain.com to your regular email address)
(Change "Your Name" to your name... :)
Take care,
Anthony
:0 B
* ^Content-Type:.*(application|audio)
* ^.*name=.*\.(bat|cpl|exe|lnk|pif|scr|shs|zip)
* ! ^To:.*file\@yourdomain\.com
{
:0 hc
* !^FROM_DAEMON
* !^X-Loop: support\@yourdomain\.com
| (formail -r -A"Precedence: junk" \
-A"X-Loop: support@yourdomain.com" ; \
echo "Thank you for emailing support@yourdomain.com" ; \
echo " " ; \
echo "Due to the large amount of spam I receive," ;\
echo "I no longer accept file attachments at this address." ; \
echo " " ; \
echo "If you need to send a file to me, please send it to" ; \
echo "file@yourdomain.com" ; \
echo " " ; \
echo "I sincerely apologize for any inconvenience this may cause." ; \
echo " " ; \
echo "Take care," ; \
echo " " ; \
echo "Your Name" ; \
echo "support@yourdomain.com" ; \
echo "www.yourdomain.com") | $SENDMAIL -t
:0
/dev/null
}