I think what I did this morning sucessfully. I put the following in my
/etc/procmailrc
# some viruses are also not using quoted filenames. grrrr...
# the end of line check also allows for padded spaces or tabs
* .*\/name=.*\.(exe|bat|pif|com|lnk|scr|vbs)(")?(\ *|\t*)$
# or for double extensions, only:
#* name=.*\..*\.(exe|bat|pif|com|lnk|scr|vbs)(")?(\ *|\t*)$
#* name=.*\.(xls|jpg|gif|mp3)\.(exe|bat|pif|com|lnk|scr|vbs)(")?(\
*|\t*)$
# If found, log and quarantine (or delete)
{
LOG="${NL}Possible virus:${NL}Matched Expression = ${MATCH}${NL}"
:0 /dev/null
}
}
###########################################################
I've got a buddy of mine working on a more better solution at the
moment, if that works well when I get it I'll post it up too.
Dustin Puryear wrote:
> Spread the wealth on the list. Others may want to do this later on.
>
> At 10:35 AM 8/25/2003 -0700, you wrote:
>
>> I got it figured out now. I used a procmail filter. =)
>>
>> Dustin Puryear wrote:
>>
>>> What mail server software?
>>>
>>> At 03:30 PM 8/22/2003 -0700, you wrote:
>>>
>>>> I'm pretty new to running a real mail server on linux, can ya'll
>>>> give me some ideas on how to drop emails with offending attachments?
>>>>
>>>> god, I sound like a huge n00b.
>>>>
>>>> jason
>>>>
>>>> -ray wrote:
>>>>
>>>>> On Tuesday we starting dropping all pif files since the 'our
>>>>> mailserver
>>>>> removed the SoBig virus from this attachment' virus messages were
>>>>> getting
>>>>> annoying.
>>>>>
>>>>> Here's how many we've blocked: 64575
>>>>>
>>>>> Increasing by about 20,000 a day...
>>>>>
>>>>> ray
>>>>>
>>>>>
>>>>> On Fri, 22 Aug 2003, Edmund Cramp wrote:
>>>>>
>>>>>
>>>>>
>>>>>> We're getting about 50 per day that get through our
>>>>>> SpamAssassin/Reverse
>>>>>> lookup filter - these get 100% caught by the Kaspersky AV filter
>>>>>> in the
>>>>>> mailserver :-))
>>>>>>
>>>>>> Oddly enough, the SpamAssassin / Reverse Lookup filter has proved
>>>>>> surprisingly effective at bouncing the mass mailing virus emails
>>>>>> as well
>>>>>> as reducing our spam level by at least 90% - on average we reject
>>>>>> about
>>>>>> 18,000 emails per week as spam - SoBig.f has added about 1000 to
>>>>>> this
>>>>>> average so far this week!
>>>>>>
>>>>>> --
>>>>>> Edmund Cramp
>>>>>> http://www.emgsrus.com/graffiti.htm
>>>>>> "If more languages had _smite_ implemented, the remaining
>>>>>> programmers
>>>>>> would be better than the current average."
>>>>>> - Mike Andrews in the scary.devil.monastery
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> General mailing list
>>>>> [email protected]
>>>>> http://brlug.net/mailman/listinfo/general_brlug.net
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> General mailing list
>>>> [email protected]
>>>> http://brlug.net/mailman/listinfo/general_brlug.net
>>>
>>>
>>>
>>> ---
>>> Dustin Puryear <[EMAIL PROTECTED]>
>>> Puryear Information Technology, LLC <http://www.puryear-it.com>
>>> Providing expertise in the management, integration, and
>>> security of Windows and UNIX systems, networks, and applications.
>>>
>>>
>>>
>>> _______________________________________________
>>> General mailing list
>>> [email protected]
>>> http://brlug.net/mailman/listinfo/general_brlug.net
>>
>>
>>
>>
>> _______________________________________________
>> General mailing list
>> [email protected]
>> http://brlug.net/mailman/listinfo/general_brlug.net
>>
>
>
> ---
> Dustin Puryear <[EMAIL PROTECTED]>
> Puryear Information Technology, LLC <http://www.puryear-it.com>
> Providing expertise in the management, integration, and
> security of Windows and UNIX systems, networks, and applications.
>
>
> _______________________________________________
> General mailing list
> [email protected]
> http://brlug.net/mailman/listinfo/general_brlug.net
>
