Page 1 of 3 123 LastLast
Results 1 to 10 of 21
  1. #1
    Junior Member
    Join Date
    Aug 2003
    Posts
    12

    Default Filtering email with attachments?

    Hi,

    Recently, there's been a large increase (100s every day) in the number of junk emails I receive with PIF and SCR file attachments.

    Since I never expect to be sent those files in normal circumstances (they're obviously viruses), I've set my email reader to trash any email received with those attachments. But the email reader has to download the email before it filters it, and I'd rather not download the email at all... so I was wondering if there's some way to do that filtering/trashing on the Westhost server side of things?

    Thanks,
    Ian.

  2. #2
    Senior Member FZ's Avatar
    Join Date
    May 2003
    Location
    Johannesburg, South Africa
    Posts
    1,024

    Default

    I have the same problem. I've received more than 2000 (literally!) in little over 3 days. However, there is a short term solution that I have implemented which saved me from downloading about 200MB of virii... Procmail. If you haven't already had a look at it, check out this post: http://forums.westhost.com/phpBB2/vi....php?t=151#538 It should get you set up. Basically, you can block these particular messages by subject. I only seem to have 3 or 4 variants ("Thank you!", "Wicked Screensaver", "Your Application", ...) so it is easy for me to send those straight to a folder in my home/username/mail directory which I can glance through with Pine (through SSH) at the end of the day instead of having to download them.

    Okay, so now the long term solution? An anti-virus or something similar to weed out the bad e-mails automatically and reliably. I have not tried it, but I have heard great things about clamav - http://clamav.elektrapro.com/ and Sanitizer - http://www.linux-mag.com/2001-08/guru_03.html The problem here would be, though, the time required to sit and configure them, not to mention installing them and actually getting them working on your account! I think you'd have to wait for WestHost 2.0 before you could even try...

    Good luck. If you can't figure out Procmail, let me know and I'll post what I have in mine that stops the junk (including returned mail supposedly because you sent the virus - which you didn't because the **** thing spoofs you in the From: header).

  3. #3
    Junior Member
    Join Date
    Aug 2003
    Posts
    12

    Default

    Sounds promising. If you can post your working config, that'd be great. Thanks!

  4. #4
    Senior Member FZ's Avatar
    Join Date
    May 2003
    Location
    Johannesburg, South Africa
    Posts
    1,024

    Default

    Ian,

    Here is what is in my .procmailrc (only the relevant bits here). I'm assuming you understood how to implement it after reading my detailed post...

    Code:
    PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/bin:/home/username/bin
    MAILDIR=$HOME/mail
    LOGFILE=$HOME/procmail.log
    #VERBOSE=yes
    
    :0:
    * ^From: admin@your.domain
    /dev/null
    
    :0
    * ! ^To.*unfiltered@your.domain
    {
    	:0:
    	* ^Subject.*Undeliver(ed|able) ((e)?mail|message)|^Subject.*returned (mail|message)|^Subject.*mail delivery|^Subject.*mail (delivery|system)|^Subject.*delivery ((status)? notification|failure)|^Subject.*failure notice|^Subject.*daemon|^Subject.*(virus found|found virus|virus detected|detected a virus|virus alert|failed to clean virus|unrepairable|viruses|virus in your mail|network associates webshield|potentially unsafe content)|\
    	  ^Message-Id.*@westhost35
    	Virus-Epidemic
    
    	:0:
    	* ^X-Spam-Flag: YES|^To.*Undisclosed|! ^To.*@your.domain|^To.*@westhost35|^From.*@westhost35
    	Spam
    
    	:0:
    	* ^Subject: A (very|special)? ( )?(powful|humour|funny|nice|new|excite|good) (game|tool|website|web site)$|\
    	  ^Subject: (document.write|frame(spacing|border|margin)|background|screensaver|marginheight|cell(spacing|padding)|cleartimeout|scrolling|onmouse|my events|nedstat|google)|\
    	  ^Subject: (have a (funny|new|excite|good|humour)|happy) assumption$|\
    	  ^Subject: BtVS and Angel Shippers Site$|\
    	  ^Subject: (Re: )?Thank you!$|\
    	  ^Subject: (Re: )?Wicked Screensaver$|\
    	  ^Subject: Dominoes$|\
    	  ^Subject: (Re: )?(Re: )?(My )?(details|approved)$|\
    	  ^Subject: A  (WinXP|IE 6.0) patch$|\
    	  ^Subject: (Re: )?Re: (My |your |That )?(Application|Movie)$|\
    	  ^Subject: Introduction on ADSL$|\
    	  ^Subject.*Worm Klez.E Immunity|\
    	  ^Subject.*removal tools|\
    	  ^Subject: leftmargin$|\
    	  ^Subject: please try again$|\
    	  ^Subject.*so cool a flash|\
    	  ^Subject.*be friends$|\
    	  ^Subject.*Instant message|\
    	  ^Subject: 2001, 2002 phpBB Group$|\
    	  ^Subject: H(i|ello),(fayez|honey)$|\
      	  ^Subject: fayez,some questions$|\
    	  ^Subject: Some questions$|\
    	  ^Subject: How are you$|\
    	  ^Subject.*meeting notice|\
    	  ^Subject.*darling|\
    	  ^Subject: (hi )?congratulations$|\
    	  ^Subject.*garden of eden|\
    	  ^Subject: your password$|\
    	  ^Subject.*eager to see you|\
    	  ^Subject.*sos|\
    	  ^Subject.*hometown|\
    	  ^Subject.*rights reserved$|\
    	  ^Subject.*spice girl|\
    	  ^Subject.*Japanese|\
    	  ^Subject.*klik|\
    	  ^Subject: LANGUAGE$|\
    	  ^Subject: Questionnaire$|\
    	  ^Subject.*my beautiful girl friend|\
      	  ^From.*(Dispatch@McAfee.com|gilliansl)
    	Virii
    }
    
    :0:
    ${DEFAULT}
    Where username should be replaced by your WestHost username in each case, your.domain with your domain name.

    Just a quick explanation of the above code:

    I frequently get the "admin@domain", "subject: your account" e-mails (i.e. with the viral attachments), and since the only person that can legitimately send me e-mail from that address is me, I know to send it straight to trash.

    I've set up a couple of addresses that are not checked against any rules at all - addresses I know that never receive any junk or virii because they are not published on the net. For example, I have a special address that I use for WestHost...

    Right, the next chunk of code... This is the one that does most of the stopping. Since these **** virii spoof my address as a from: I get about 50 "mail delivery failed because your e-mail contained a virus" messages a day. So, I'm filtering them. Up until yesterday, I was only filtering ones NOT from MAILER-DAEMON@westhost... (which would be the only address that sends legit mail delivery notifications), but the friggin virii now spoof this address too (great!). My point is that all your undelivered mail messages, be it legit or otherwise will be sent to the Virus-Epidemic mailbox (viewable by launching pine from SSH).

    The next chunk of code weeds out probable spam. I've set my SpamAssassin filters to a very low tolerance level (so sometimes legit mail is marked as spam). So now, I only get about 5 spam e-mails a week (down from 60/day a little over a month ago). Mail marked as spam (or that has headers indicating it is likely spam) is moved to Spam. I take a glance at it once or twice daily before I delete it permanently.

    The huge block of code is what blocks most (but not all) of the Worm.Klez/Sobig/etc. e-mails (by subject). The list is not comprehensive, but easy to add to. I've been using it for about 45 days and not once has it matched on legit mail (because the subjects are always the same, and are not likely "real" subjects).

    The last bit is just telling procmail to deliver all other messages (i.e. seemingly legit mail) to your "default" location.

    I hope spammers don't use this info to bypass my mail filters now

    Let me know how it goes. If you need any other help, just shout.

  5. #5
    Senior Member FZ's Avatar
    Join Date
    May 2003
    Location
    Johannesburg, South Africa
    Posts
    1,024

    Default

    Just a correction or two:

    westhost35 is the WestHost server my account is on. So replace all occurrences of it with the server your account is on.

    Virii and Virus-Epidemic are kind of redundant... You could just use one mailbox (and merge the two rule "sets"), but I chose to make the epidemic box so that when the virus cools down I can remove it's conditions (and therefore un-blacklist the real mailer-daemon). I also did it because Virii gets about 10 mails a day, while the -epidemic one gets a few hundred (easier to delete...) a day.

    Finally, "fayez" is the part before the @ in my e-mail address (as extracted by spammers and virii).

  6. #6
    Junior Member
    Join Date
    Aug 2003
    Posts
    12

    Default

    I'm unable to get procmail to work. This is what I put in .procmailrc as a little test...
    Code:
    MAILDIR=$HOME/mail
    LOGFILE=$HOME/procmail.log
    #VERBOSE=yes
    
    :0
    * ^Subject:.*test
    /dev/null
    I sent myself a message with test in the subject, and I received it

    The .procmailrc file is in my home directory, and I chmod'd it to 644. Is there something else I'm forgetting to do?

    Cheers,
    Ian.

  7. #7
    Senior Member FZ's Avatar
    Join Date
    May 2003
    Location
    Johannesburg, South Africa
    Posts
    1,024

    Default

    Hmm, it never works first time :x

    Did you upload the file in ASCII mode? Are you sure you don't have any characters before the .? It has to be .procmailrc (nothing before the . - just a file extension, no "name").

    Try removing the # from the 3rd line, and then take a look at procmail.log to see what it says... If it isn't created, there is either an error in your procmail file, you didn't upload it properly or permissions are incorrect...

  8. #8
    Junior Member
    Join Date
    Aug 2003
    Posts
    12

    Default

    Yep, all that looks correct...
    Code:
    west18:~$ ls -la
    ...
    -rw-r--r--    1 userx  groupx       90 Aug 21 16:02 .procmailrc
    ...
    west18:~$ cat .procmailrc
    MAILDIR=$HOME/mail
    LOGFILE=$HOME/procmail.log
    VERBOSE=yes
    
    :0
    * ^Subject:.*test
    /dev/null
    Even after uncommenting the "VERBOSE" line, I still get no logfile (it should be in the home dir?), so I guess that means procmail isn't even being invoked?

    Could it be because I'm not on the newfangled "Westhost 2" system? Are you?

    procmail is installed though...
    Code:
    west18:~$ procmail -v
    procmail v3.22 2001/09/10
        Copyright (c) 1990-2001, Stephen R. van den Berg    <srb@cuci.nl>
        Copyright (c) 1997-2001, Philip A. Guenther         <guenther@sendmail.com>
    
    Submit questions/answers to the procmail-related mailinglist by sending to:
            <procmail-users@procmail.org>
    
    And of course, subscription and information requests for this list to:
            <procmail-users-request@procmail.org>
    
    Locking strategies:     dotlocking, fcntl(), lockf(), flock()
    Default rcfile:         $HOME/.procmailrc

  9. #9
    Senior Member FZ's Avatar
    Join Date
    May 2003
    Location
    Johannesburg, South Africa
    Posts
    1,024

    Default

    *sigh* That just plain sucks. Maybe you should try WestHost support. And no, I am not on 2.0 as yet. I think someone else was having trouble with procmail as well (also not on 2.0, and on a different server to mine). He could only get it working if he sent mail "internally" i.e. using the "mail" command in SSH... You should give it a go and see. Also, try "echo $HOME" at the prompt to make sure that's fine. Lastly, does the mail directory exist?

    Oh, and maybe if you added a second colon after the :0, and added the default code block at the end (probably won't work, but you might as well try it )

  10. #10
    Junior Member
    Join Date
    Aug 2003
    Posts
    12

    Default

    Yep, $HOME is fine, and the "mail" dir exists. Unfortunately, adding the ":" and "$DEFAULT" stuff didn't help. I also tried creating a .forward file, as specified in the procmail FAQ, but that didn't help either.

    Just a wild guess, but maybe the redirects are stoping procmail from being invoked? Do you have a .redirect file, or do you have all that stuff in the .procmailrc?

    Testing procmail like this...
    Code:
    procmail -m $HOME/.procmailrc <testmessage
    ...works fine, which suggests that the .procmailrc file is fine, and the problem is indeed that procmail is just not being invoked when email is received.

    It was stated in another post here that Westhost don't support procmail, so I don't suppose I can expect them to help with this.

    This is really starting to do my head in now

    Thanks for your help anyway

Similar Threads

  1. SpamAssassin -> Procmail -> Uebimaiu spammail folder
    By PeteF in forum E-mail / FTP Management
    Replies: 17
    Last Post: 05-25-2010, 01:54 PM
  2. Email Filtering and Virus-Scanning Discussion
    By coppercup in forum E-mail / FTP Management
    Replies: 20
    Last Post: 05-06-2006, 01:16 AM
  3. Email w/large attachments take hours to arrive
    By Tony in forum E-mail / FTP Management
    Replies: 5
    Last Post: 09-16-2005, 12:38 AM
  4. email attachments
    By nickrazer in forum E-mail / FTP Management
    Replies: 1
    Last Post: 02-05-2005, 01:58 PM
  5. Email attachments not being received
    By jpc in forum E-mail / FTP Management
    Replies: 6
    Last Post: 11-04-2004, 07:04 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •