See the following. This works with Unix Sendmail and Perl.
http://www.wolfenet.com/~jhardin/procmail-security.html
http://www.nuc.berkeley.edu/help/Mail/mail-filter.html
At 01:24 PM 05/19/2000 -0700, Mark Phillips wrote:
>Hi there fellow sysadmins -
>
>
> So, has anyone come up with a *working* attachment filter for
> Sendmail, one that can be configured to filter out .vbs attachments?
>
> This will work better than a filter per subject, if it can be
> re-written to work properly. This would really help since the new virus
> changes the subject randomly...
>
> The web page I got this from is
> ftp://ftp.enteract.com/users/schwager/ , I originally found it at about
> 4:30 this morning :( at comp.mail.sendmail :) The original version Mr.
> Schwager wrote has much better comments, I just sent the code for
> example's sake.
>
> If anyone can figure out why this particular ruleset isn't
> working the right way, I'm sure we will all be better off the next time
> around, or at least until writing .vbs worms isn't in vogue anymore...
> Many of the recent postings to comp.mail.sendmail comes from people
> trying to figure out the right way to filter based on attachment, but so
> far nothing has been developed yet.
>
>
> - Mark Phillips -
> Haas School of Business
>
>
>################ .vbs attachment fixer ###############################
>
>Kquotetoplus dequote -s+
>HContent-Type: $>CheckContent
>
>D{ChkPrfx1}application / octet-stream ; name=
>D{ChkPat1}.vbs
>D{ChkMsg1}REJECT- This message may contain a virus in the attached script.
>D{ChkMsg2}REJECT- This multipart message was rejected.
>
>SCheckContent
>
>R${ChkPrfx1} $* $: <CHK> <1> $1
>R$* $: $(quotetoplus $1 $)
>R<CHK> <1> $* ${ChkPat1} $* $# error $@ 5.7.1 $: 553 ${ChkMsg1}
>
>
>### don't forget about the \tabs in the previous three lines !!! ###
>###################### end .vbs fix ##################################
>
>
>------------------------------------------------------------------------
>The following was automatically added to this message by the list server:
>
>For information about Micronet, its meetings and events, and its
>mailing list, including information on subscribing and unsubscribing,
>see the Micronet Web site at <URL:http://wss-www.berkeley.edu/micronet/>.
Bill Hebert KE5DC System Administrator
Department of Nuclear Engineering University of California at Berkeley
510-642-1021 bhebert@nuc.berkeley.edu
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzTSOtkAAAEEAMMTahRxGqiEpjd60CxUHenhH/g1Fl5FIhN+QxqBtW8AXsG5
ghm1PUft5/x3A8/VvAvDowkNVafN880iTNW8X/1YK2Ow5CbL0YSelgyURKbG692V
UHnqu+c9s/P8yNWmZo1G6ke4NCPZYesbSAwvjzihSReap91Dt8OT/p4cEbFpAAUR
tCZCaWxsIEhlYmVydCA8YmhlYmVydEBudWMuYmVya2VsZXkuZWR1Pg==
=hmMR
-----END PGP PUBLIC KEY BLOCK-----
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the Micronet Web site at <URL:http://wss-www.berkeley.edu/micronet/>.
This archive was generated by hypermail 2b29 : Fri May 19 2000 - 14:17:31 PDT