shouldn't that be ([0-7]){3,4} instead of [0-9][0-9][0-9]? :-)
Jeff
On Tue, 2003-11-04 at 12:24, Luke Scharf wrote:
> Here's an improved version of this script. It will also flag messages
> containing in uuencoded messages, such as the ECAR message that Nessus
> sends out:
>
> #!/bin/bash
> cat | egrep -i -e "^content-" -e "^begin[[:space:]][0-9][0-9][0-9][[:space:]]" \
> | egrep -i -e '\.exe' -e '\.pif"' -e '\.com' -e '\.bat' 2>&1 \
> >> /dev/null
> exit $?
>
> Does anyone who knows more about the uuencode format have any
> suggestions for making it more restrictive in what it will flag? I was
> only working off of one example.
>
> Between this script and clamav, it looks like I should get 'em all.
> (ClamAV doesn't look at uuencoded attachments as near as I can tell.)
>
> -Luke
>
>
> On Tue, 2003-11-04 at 09:49, John Harlow wrote:
> > I have bogofilter in place which puts my spam into a separate folder,
> > but I also have put a simple shell filter in place to separate out all
> > of these bogus MS security/virus emails that come in on my accounts and
> > them as they arrive.
> >
> > The filter is just a shell and looks like this:
> >
> > cat |egrep -i "^content-"| egrep -i -e '\.exe' -e '\.pif"' -e '\.com' -e
> > '\.bat' 2>&1 >> /dev/null
> > exit $?
> >
> > The exit code of the second egrep is the exit status of the shell.
> > (There's probably a nicer regexp that would eliminate the need for two
> > egreps, but this is at the quick & dirty stage right now.)
> >
> > My evolution filter verifies that the email has an attachment and if so,
> > runs the shell command on it. If the return is 0, it deletes the
> > message. Here is the rule.
> >
> > <rule grouping="all" source="incoming">
> > <title>VIRUS</title>
> > <partset>
> > <part name="attachments">
> > <value name="match-type" type="option" value="exist"/>
> > </part>
> > <part name="pipe">
> > <value name="command" type="command">
> > <command>/home/jrh/bin/viruscheck</command>
> > </value>
> > <value name="retval-type" type="option" value="is"/>
> > <value name="retval" type="integer" integer="0"/>
> > </part>
> > </partset>
> > <actionset>
> > <part name="delete"/>
> > <part name="stop"/>
> > </actionset>
> > </rule>
> >
> > The odd thing is that this rule is much earlier in the stack than my
> > bogofilter rule. When email is checked, these emails end up in my spam
> > folder (per bogofilter.)
> >
> > If I then select and right-click on these 'infected' emails and apply
> > filters, this filter fires and the email is deleted.
> >
> > Why would it work manually, but not when the email is being received.
> >
> > Thanks
> > John
> _______________________________________________
> evolution maillist - [EMAIL PROTECTED]
> http://lists.ximian.com/mailman/listinfo/evolution
--
Jeffrey Stedfast
Evolution Hacker - Ximian, Inc.
[EMAIL PROTECTED] - www.ximian.com
_______________________________________________
evolution maillist - [EMAIL PROTECTED]
http://lists.ximian.com/mailman/listinfo/evolution
