Re: [SLUG] regex

From: Paul M Foster (paulf@quillandmouse.com)
Date: Mon May 20 2002 - 21:09:30 EDT


On Mon, May 20, 2002 at 05:44:58PM -0700, Bob File wrote:

> On Sunday 19 May 2002 05:01 pm, Paul M Foster wrote:
>
> > BTW, thanks for posting this. My wife and I have been getting a lot of
> > email with large mime-encoded attachments. She runs Windows, but not
> > Outlook or like products, so she's had no "infections" from this. I run
>
> Hay, thanks for the verification and test! Now I get to find out if exchange
> will do regular expressions. IF not, the firewall box is a Sun box of some
> sort, and I bet it will.
> BTW there was one other procmail filter that looked like it should work well:
> :0 B
> *^Content-Type: (application|audio)
> *^.*name=.*\.(vb[esx]|jse?|ws[hf]|c[ho]m|bat|cmd|s
> hb|hta|exe|lnk|pif|scr|shs)
> /dev/null
>

Unless your firewall is also running your MTA, you can't make it block
this kind of mail. Typically you don't run any services on a firewall,
for obvious reasons. In that case, the firewall doesn't actually know
whether a packet passing through it is email or something else. This
kind of filtering is only possible on the box that runs your MTA, since
that box actually decodes packets to assemble into mail messages, and
checks email content.

However, even if Exchange won't do regexps, I imagine that if you take
the ^ and $ off, you won't get too many false positives. That's a long
line of text that's unlikely to be duplicated in anything other than
klez-infected email (that line is way down in the middle of the
mime-encoded payload executable). You could always shunt that mail over
to a folder and examine it at your leisure, to check for "safe" emails.

> I changed /dev/null to a mailbox name to see what I would catch. So far, just
> a few. My ISP is using Linux, so they may be doing some filtering for me just
> to keep mail traffic managable, dunno. I also changed the klez line in
> .procmail to:
>
> :0 B
> *^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi 0SODIlEjwyLRI4IiUSPCItE$
> klez
>

Change to:

:0 B:
*^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE$
klez

Note the colon after the B, and remove the space from your regex. I had
a klez slip through today because of that space.

Paul



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:03:21 EDT