Re: [IMail Forum] Check for certain attachments

Tue, 09 May 2000 06:09:28 -0700 


Ralf,

(repeat of a message sent 5/8/00)

Here are the two different rules that I've used (with
acknowledgements to Marius Gaudin):

1. To simply DELETE any message with a  .vbs  attachment, this is
the rule that I used (until Sunday afternoon):

     B~filename4=".*\.vbs":NUL

(remove the digit "4" from the line above).

2. But then I got curious about how many .vbs files I was catching,
so I switched to this procedure:  to FORWARD any message with a 
.vbs  attachment to a mailbox named VIRUS in an email account named
TRAPPED, this is the rule that I'm using (since Sunday afternoon):

     B~filename4=".*\.vbs":virus

(remove the digit "4" from the line above).

Before creating the rule in #2, I created a text file (in \IMail)
with ONLY this line (cr/lf at end):

     [EMAIL PROTECTED]

(substituting YOUR domain name, of course).  I saved the file as
VIRUS.FWD, and copied it to the "root" of every user's directory
EXCEPT for the TRAPPED directory (acknowledgements to Kirk
Mitchell).

To see what I've "caught" in the TRAPPED account, I log in as
TRAPPED and check the VIRUS folder.  Voila!  The live I-LOVE-YOU
.vbs virus that I sent (from one of my non-IMail mail servers) to
three different users' accounts are all safely tucked away in the
VIRUS mailbox of the TRAPPED account... and a check of the three
users' accounts shows that NOTHING went to their accounts.  The
other  .vbs  traffic is also safely nestled in TRAPPED's VIRUS
mailbox.

Both #1 and #2 work like a charm on my system... and are catching
virus laden messages as we "speak" (though I'm only using #2 at this
point).  I've deleted all other rules related to text content in the
I-LOVE-YOU strain (hyphens intentionally inserted).

My  rules.ima  file is in  \IMail

Gordon

----
Ralf Wilck wrote:
> 
> Hi,
> 
> is there a way to expand the rules for checking any attachements? I want to
> send all emails with *.vbs attachements to the NUL mailbox.
> 
> Ralf
> 
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

Reply via email to