Here's an improved version of this script. It will also flag messages
containing in uuencoded messages, such as the ECAR message that Nessus
sends out:
#!/bin/bash
cat | egrep -i -e "^content-" -e "^begin[[:space:]][0-9][0-9][0-9][[:space:]]" \
| egrep -i -e '\.exe' -e '\.pif"' -e '\.com' -e '\.bat' 2>&1 \
>> /dev/null
exit $?
Does anyone who knows more about the uuencode format have any
suggestions for making it more restrictive in what it will flag? I was
only working off of one example.
Between this script and clamav, it looks like I should get 'em all.
(ClamAV doesn't look at uuencoded attachments as near as I can tell.)
-Luke
On Tue, 2003-11-04 at 09:49, John Harlow wrote:
> I have bogofilter in place which puts my spam into a separate folder,
> but I also have put a simple shell filter in place to separate out all
> of these bogus MS security/virus emails that come in on my accounts and
> them as they arrive.
>
> The filter is just a shell and looks like this:
>
> cat |egrep -i "^content-"| egrep -i -e '\.exe' -e '\.pif"' -e '\.com' -e
> '\.bat' 2>&1 >> /dev/null
> exit $?
>
> The exit code of the second egrep is the exit status of the shell.
> (There's probably a nicer regexp that would eliminate the need for two
> egreps, but this is at the quick & dirty stage right now.)
>
> My evolution filter verifies that the email has an attachment and if so,
> runs the shell command on it. If the return is 0, it deletes the
> message. Here is the rule.
>
> <rule grouping="all" source="incoming">
> <title>VIRUS</title>
> <partset>
> <part name="attachments">
> <value name="match-type" type="option" value="exist"/>
> </part>
> <part name="pipe">
> <value name="command" type="command">
> <command>/home/jrh/bin/viruscheck</command>
> </value>
> <value name="retval-type" type="option" value="is"/>
> <value name="retval" type="integer" integer="0"/>
> </part>
> </partset>
> <actionset>
> <part name="delete"/>
> <part name="stop"/>
> </actionset>
> </rule>
>
> The odd thing is that this rule is much earlier in the stack than my
> bogofilter rule. When email is checked, these emails end up in my spam
> folder (per bogofilter.)
>
> If I then select and right-click on these 'infected' emails and apply
> filters, this filter fires and the email is deleted.
>
> Why would it work manually, but not when the email is being received.
>
> Thanks
> John
_______________________________________________
evolution maillist - [EMAIL PROTECTED]
http://lists.ximian.com/mailman/listinfo/evolution
