Re: Sendmail vs *.vbs

[emsi () IT PL (Mariusz Woloszyn)]

On Sun, 7 May 2000, Todd Garrison wrote:

> I was really bummed when I saw how they did it... I want to be able to
> block all *attachments* that have the string .vbs in the name - I don't
> want to rely on subject headers alone, but I haven't quite figured out
> how yet.  I played with my .mc/.cf configs in sendmail for about six
> hours trying to get it to play nice, but the problem seems to be that
> all the different mailers describe their attachments differently.  I
> must be pretty thick in the head, but the fact that I know others want
> to do the same thing and I have yet to see a filter that does it (in
> sendmail that is) bums me out.

I had no time to play with .cf, so I used procmail to filter only mail for
my local users. I puted following in my global procmailrc file:

:0 B
* jkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshf
{
        :0
        /var/spool/mail/LOVE
}

and I grabbed lot of viruses since friday (few different mutations).
I'm sure it's better than blocking all mails regarding ILOVEYOU virus with
ILOVEYOU in subject!

> Any sendmail gurus out there that can help enlighten us lesser beings?
Yeah? How can I ask sendmail to look at next Content-Type: or whatever
header that is belong the end of main headers? FOr example filename or
name. If I could do it the following should be sufficient:

R$*$-$*                 $: $(dequote $3 $)
R$*vbs$*                $#error $: "553 I feel good."


--
Mariusz Wo³oszyn
Internet Security Specialist, Internet Partners, GTS Poland