PDA

View Full Version : PIF / SCR attachments - Procmail deletion



firebirdfan
06-06-2004, 10:14 PM
I've pasted this code from http://www.internetguru.com.au/igblog-96.html
in my procmail file - ( etc/procmail )

So this is how my procmail file looks like currently:

# Added By HostDir
VERBOSE = "no"
LOGABSTRACT = "no"
SHELL = "/bin/sh"

RESIDUE = `/bin/procmail_checker $DEFAULT $LOGNAME 2>/dev/null`
:0
* ? test $RESIDUE != "unlimited"
{
:0
* > $RESIDUE
{
LOGFILE=/proc/self/fd/2
LOG="554 - Mailbox quota exceeded by $LOGNAME
"
EXITCODE=69
:0
/dev/null
}
}
# SPAMASSASSIN BLOCK

# The condition line ensures that only messages smaller than 250 kB
# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam
# isn't bigger than a few k and working with big messages can bring
# SpamAssassin to its knees.
:0
* ! ^FROM_DAEMON
* < 256000
{
:0 fw: /var/lock/spamassassin.lock
| /spamassassin
}
# END SPAMASSASSIN BLOCK

:0:
* ^X-Spam-Flag: YES
/dev/null

:0 B
* name=.*(document|readme|doc|text|file|data|test|me ssage|body)\.(vbs\"|wsf\"|vbe\"|wsh\"|hta\"|scr\"|<B style="color:black;background-color:#99ff99">pif[/B]\"|exe\"|shs\"|bat\"|bas\"|cmd\"|zip\")
{
:0
/dev/null
}

The *name is all in 1 line - but it doesnt delete's it ?

firebirdfan
06-06-2004, 11:31 PM
Okie, i got a different code working - & this is tried & tested.
So any of you guys can just cut & past this code & it will block all harmful attachments:

:0
* < 150000
* ! ^Content-Type: text/plain
{
:0B
* ^(Content-(Type|Disposition):.*|[ ]*(file)?)name=("[^"]*|[^ ]*)\.(bat|cmd|com|cpl|exe|js|pif|vbs|scr|wsf)
/dev/null
}

you can change the 150k to whatever you want but I head that scanning large attachments will use a lot resourses... besides these virus are rarely.

THe over 150k in size, most seam to be around 40K to 75K.

Files name that you want blocked are in the ( ), so remove whatever of you feel you want them to come in.

Put that code below your last line of the procmail file.