|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Anybody patching Sendmail to filter _attachments_?
2000-05-08-12:49:54 Bill Woodcock:
> ...as opposed to just by subject line?
I've come up with a solution I'm using. At the moment I've only got
a procmail wrapper style filter, i.e. it's an LDA, so it only fixes
local deliveries. I'm hoping to figure out a way to filter
everything passing through, but at the moment I'm using Postfix, and
it doesn't make that easy. I'm considering switching back to qmail
in hopes that the exercise is less painful there.
My filter pulls in the first up-to-1MB (configurable) of the
message, and then hits the entire thing with each pattern specified
in a file full of PCRE regexps, in case-insensitive multiline match
mode. So the first of my two current patterns:
^Content-(?:Type|Disposition): (?:.|\n\s)*name=("?)[^"]+\.(?:vbs|wsf|vbe|wsh|hta)\1
^begin \d+ \S+\.(?:vbs|wsf|vbe|wsh|hta)$
can catch the MIME attachments, even though the Content- and the
filename extension vbs occur on different lines, and the whole thing
is in the message body somewhere.
Messages that are too long to scan this way, or that match any of
the patterns, are set aside for a separate daemon to process. That
daemon (written in perl) re-tries the patterns on paragraphs of the
file. Confirmed matches get quoted with "> " to keep Outlook from
biting, and copies are saved for later analysis; messages that don't
match the second check are passed through unchanged.
The concept here is to pass through the vast majority of traffic
with minimal server performance hit, and only spend more effort on
the nasty few. Seems to be working OK at the moment.
I'll be happy to email my code to anyone who wants it. Once I can
slow down and get back to routine stuff, I'll probably put it up on
sourceforge.
-Bennett
Attachment:
pgp00001.pgp
|