--Vytautas Kasparavicius wrote on 07.02.2002 14:24 +0200:
>> I created my own script from your example and from a list of potential
>> dangerous attachments from Microsoft
[...]
> After implementing this maildrop filter(checking all possible
> dangerous/executable attachments)
> Getting following error:
>
> "maildrop: Timeout quota exceeded"
Anchor the regexp to the beginning and/or end of a line, this
allows maildrop to skip ~99% of the data.
Improve the regexp, use one instead of >40 as already suggested.
There might be no '.*boundary', I also miss .do? and .xl? and
it fails if the filename is not terminated with a doublequote.
Whitelisting the extension which are not 'scriptable' or known
by your scanner would be more secure and also minimize the list.
But with outlook there are ways to infect the box without using
the string 'name=' at all. Its of limited use against those ever-
spreading outlook-trojans.
Example from my etc/maildroprc, prepends a warning to the subject
if some of the possibly dangerous attachments/trojans are found:
# etc/maildroprc - global trojan filter
import SENDER
import RECIPIENT
if ( /^content-type:[:space:]*![:alnum:]+!.*/:h )
{
TYPE=$MATCH2
TYPE2=$MATCH3
BADEXT="(scr)|(exe)|(com)|(bat)|(pif)|(lnk)|(sys)|(vb)|(js)|(ws)|(shs)"
if ( "$TYPE" =~ /multipart/ ) # grep body
{
if( /^((content-)|([:space:])).*[:space:](file)?name=!.*\.($BADEXT).*$/:b )
{
FILENAME=escape($MATCH2)
}
}
else # check header
{
if ( $TYPE2 =~ /[:space:](file)?name=!.*\.($BADEXT).*$/ )
{
FILENAME=escape($MATCH2)
}
}
if ( "$FILENAME" )
{
echo "X-Content-Virus-Warning: $FILENAME <$SENDER> $RECIPIENT"
MATCH2="(No Subject)"
/^Subject: !.*/
xfilter "reformail -A'X-Content-Filter: name=*.$BADEXT' \
-A'X-Content-Scanner: postmaster@$HOSTNAME' \
-A'X-Content-Virus-Warning: $FILENAME <$SENDER> $RECIPIENT' \
-i'Subject: [VIRUS WARNING: $FILENAME] $MATCH2'"
}
}
# EOF
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
