PDA

View Full Version : How do I identify all .pif virus files as spam



Glocom
03-09-2004, 06:03 AM
Is there a very simple rule I can add to procmailrc that will identify any email with a .pif file as spam (and a few other file types)? I am already bouncing all messages flagged as spam. I just want these files to trigger that.

Thanks.

FZ
03-09-2004, 11:20 AM
What I do to battle the current barrage of virii-infested mail, is use this piece of (Procmail) code:


:0B:
* ^Content-Type.*octet-stream
/mail/virii

I've been using it for a while now, and while it does not specifically do what you ask for, it will definitely stop the virii-infested mail (by moving it to a mailbox file called "virii" in your /mail folder). However, I'm no expert on the topic of content-encoding/type so the above might filter mail with "legal" attachments too (which is why I move mail to a mailbox file, which I scan through manually before emptying).

WestHost - MMellor
03-16-2004, 06:36 PM
Hello Glocom,

Another solution to this is to setup email filters within the email program that you are using. You can set Outlook to move any emails which contain those file extensions to a folder which you can then delete. Let me know if this helps.

hipstergk
03-17-2004, 08:29 AM
i have this little bit of code at the top of my procmail file:


:0
* < 256000
* ! ^Content-Type: text/plain
{
:0B
* ^(Content-(Type|Disposition):.*|[ ]*(file)?)name=("[^"]*|[^ ]*)\.(com|pif|scr)
/dev/null
}


the following

* ^(Content-(Type|Disposition):.*|[ ]*(file)?)name=("[^"]*|[^ ]*)\.(com|pif|scr)
should all be on one line, if you just copy everything from above you should be alright.

this will delete any .com, .pif, or .scr attachments.
if you'd rather not delete them, just change /dev/null to whereever you want them moved to.

pnat331
03-25-2004, 03:52 PM
I have 9 mail user accounts on my site and would like to have .procmailrc scan each of those accounts for viral messages. What do I have to do to configure this?

I created a file called rc.subscriptions and included the following code in it:


:0:
* ^TO_user1@xxxx.org
IN-S-user1

:0:
* ^TO_user2@xxxx.org
IN-S-user2

My .procmailrc file, based on suggestions given in this forum contains the following lines:

INCLUDERC=$PMDIR/rc.subscriptions

Despite having set this up and the .foward file, I continue to get messages with the .pif attachment on several user accounts. What can I do to fix this?

Appreciate the help...

Prakash

pnat331
03-25-2004, 03:52 PM
I have 9 mail user accounts on my site and would like to have .procmailrc scan each of those accounts for viral messages. What do I have to do to configure this?

I created a file called rc.subscriptions and included the following code in it:


:0:
* ^TO_user1@xxxx.org
IN-S-user1

:0:
* ^TO_user2@xxxx.org
IN-S-user2

My .procmailrc file, based on suggestions given in this forum contains the following lines:

INCLUDERC=$PMDIR/rc.subscriptions

Despite having set this up and the .foward file, I continue to get messages with the .pif attachment on several user accounts. What can I do to fix this?

Appreciate the help...

Prakash

FZ
03-25-2004, 04:19 PM
You do not need a .forward file, Procmail is already set up and working for you.

To enable "global Procmail rules" you can add the code in question to the "global" Procmail file: /etc/procmailrc - make sure to add it to the end of the file (maybe it would be better if you backed up the original before you made the changes). Note that there is no . in the name of this file. Also, if you are going to be re-uploading your file, make sure to do so in ASCII/Text mode and then CHMOD it to 644.

As for your rc.subscriptions trouble, I am not sure what you are trying to do? Why not just place the code you have directly in your .procmailrc instead of trying to include it?

Glocom
04-12-2004, 06:03 AM
I put the code from HIPSTERGK in my procmailrc file, and it doesn't seem to have stopped the incoming virus files. He said to put the code in my "procmail" not "procmailrc" file. Does anyone know if this was a typo? I can't find a "procmail" file.

If this is not my problem, any suggestions on why this isn't working for me? Do I need to activate my "procmailrc" file? Currently, it's in the "ETC" directory and CMOS'ed 644.

Thanks.

FZ
04-12-2004, 11:16 AM
Well, there are two locations you can place that code:

/etc/procmailrc - which is the "global" file, so it will affect all incoming mail.

OR

/.procmailrc - which is the home directory for the domain@domain.com e-mail address. The .procmailrc file can be placed in any e-mail/FTP account's home directory.

Notice the subtle difference: the global file does NOT contain a . before it, but the Procmail recipe files that are placed in home directories (so that the rules therein are specific to that e-mail account only) DO have the . in front of the name. Permissions of "644" is correct for any kind of Procmail recipe file (be it global or otherwise).

If placed in the correct location, there is no need to "activate" your Procmail recipe file(s). Just make sure you uploaded it in ASCII/text mode (if you uploaded it via FTP).

Glocom
04-12-2004, 05:48 PM
I'm unclear about the second option. How do I find the "home directory" for the email address?

Also, do I need to create the /.procmailrc file myself? If so, what extension should I save it with...

Thanks for replying again.

Andy Gray

FZ
04-12-2004, 06:03 PM
Andy,

There is no extension for the file: in fact, there is no name, it is only an extension: .procmailrc (nothing before the . meaning technically that the extension is "procmailrc").

I'm sorry if my explanation of home directories for e-mail/FTP accounts Procmail recipes confused you. It doesn't apply in your case if it is a global Procmail rule you wish to introduce, so ignore that. However, if you are still interested, you can see the home directories for e-mail/FTP accounts via your Site Manager, by clicking "Edit" for an account in the list, and then clicking "Next" twice, which will get you to "FTP properties", where there will be a "Home Directory" text box. If that box is non-empty, then the directory listed there is the home directory of that account. What that means in turn is that if you placed a .procmailrc in that directory, the rules therein would apply to mail for that account ONLY, contrary to rules that would apply to EVERY SINGLE MAIL in the case of /etc/procmailrc

Hope that clarifies things for you.

proaudiogear4less
11-22-2005, 01:16 PM
I was trying to use this recipe and put it at the tope of my procmailrc file found in /etc . It doesn't seem to work. Can anyone assist me on this. i tried to ask westhost for help but they said it was beyond their tech support scope.
Thanks for any help. I jusy wanted to block all the scr, bat, com, exe and zip from coming thru because some moron opened an infected .zip file from one of the multitudes of daily spam and I had to spend 1 whole day repairing the damage.

jalal
11-23-2005, 02:51 AM
Turn on logging for procmail (set it to verbose) and then send yourself a test mail and find out where it is going to...
Oh, and make sure that the .procmailrc is in unix format (not windows).

proaudiogear4less
11-23-2005, 09:38 AM
I think I got it. I had to rename /etc/procmailrc to /etc/.procmailrc .
I did finda great resource for rules.
Definately worth looking at http://phd.pp.ru/Software/dotfiles/procmailrc.html .
The only problem I am having is I was unable to reject incoming emails that have .zip files attached. No matter what I did with the rules it just wouldn't block the incoming files witha .zip attachment.
Any info on this?

jalal
11-23-2005, 02:03 PM
I think I got it. I had to rename /etc/procmailrc to /etc/.procmailrc

No, '/etc/procmailrc' is the correct name.