[Techtalk] Procmail spam recipes (was simple mail filtering via whitelist)

Conor Daly conor.daly at oceanfree.net
Tue Mar 9 23:38:05 EST 2004 

On Mon, Mar 08, 2004 at 04:31:22PM -0800 or so it is rumoured hereabouts, 
Akkana Peck thought:
> 
> I could grep the body of the message, but grep isn't smart enough to
> pick out patterns like
> 
> Content-Type: application/octet-stream;
>         name="document.pif"
> 
> where the filename is on a different line from Content-Type.

LINE=`grep -A1 application/octet-stream <message>`
echo $LINE | grep '.pif'
if [ $? -eq 0 ]; then
echo "One of .pif, .exe, .scr file extensions detected.  Probably virus"

works for me.  I copied the text above to 'cdtest' and did:

[cdaly at valkerie cdaly]$ grep -A1 application/octet-stream cdtest
Content-Type: application/octet-stream;
        name="document.pif"

[cdaly at valkerie cdaly]$ LINE=`grep -A1 application/octet-stream cdtest`

[cdaly at valkerie cdaly]$ echo $LINE
Content-Type: application/octet-stream; name="document.pif"

[cdaly at valkerie cdaly]$ echo $LINE | grep '.pif'
Content-Type: application/octet-stream; name="document.pif"

[cdaly at valkerie cdaly]$ echo $?
0

This assumes GNU grep.  It won't necessarily work with other greps.

BTW, the following mail to ilug at linux.ie gives one method to test an
attached zip file to see if it's encrypted.  I haven't tested it myself,
not having a bagle virus available to test on...

----------------------------------
Hi,
Has anyone got a way of getting exim 3.36/exiscan/clamav to detect and
drop the encrypted zip files that W32/Bagle.j at MM et al are so fond of
using?  So far Ive managed to ascertain that the following will output a
capital letter if a zip file is encrypted: if

zipinfo $Z | grep exe$ | perl -pe's/ +/ /g' | cut -d\  -f5 | cut -b1

So if i had a way to run that on the mail and if the output is between 65
and 90 on the acsii table - drop the mail.
----------------------------------


Conor
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
 10:35pm  up 138 days, 15:43,  0 users,  load average: 0.00, 0.00, 0.00
Hobbiton.cod.ie
 10:27pm  up 138 days, 15:31,  1 user,  load average: 0.03, 0.05, 0.00

More information about the Techtalk mailing list