[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Klez E Plague

Subject: Re: [cobalt-security] Klez E Plague
From: Martin Moeller <martin@xxxxxxx>
Date: 05 Sep 2002 13:13:13 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Right, I could probably add an extra header. Somehow that thought didn't
come to me.

The thing I had imagined was that when a particular recipe matched,
besides the msg.XXXX file it yould have, say a match.XXXX file with a
line of text you define in the procmailrc file. This is of course
servered pretty much as well by an X-Procmail-AV: header or something. 
That requires invoking formail, right? Much like they do here:

http://alcor.concordia.ca/topics/email/auto/procmail/spam/tag.html

Procmail is certainly powerful but it is very hard to get to the
advanced stuff, I think. Matching a couple of things and dumping the
message to a predefined location is pretty easy now, but for instance
the procmail rule to return a requested file upon receipt I would not
have conceived if it wasn't in the procmail book.

My slightly modified version of that follows, to illustrate my point :)

:0
* ^Subject: send file [0-9].*/msg\..*
* !^Subject:.*Re:
* !^FROM_DAEMON
{
  MAILDIR=/home/virusdump/processed/ # chdir to the fileserver directory

  :0 fhw                   # reverse mailheader and extract name
  * ^Subject: send file \/[^ ]*
  | formail -r

  FILE="$MATCH"            # the requested filename
  MyFROM=`formail -x to`

  :0 ah
  | cat - ./$FILE 2>&1 | /usr/sbin/sendmail -oi $MyFROM
  .
}

I can pretty much see what's going on but would not have been able to
come up with it by myself. I think I will look into the header thing a
bit more. Thanks :)

ons, 2002-09-04 kl. 15:06 skrev Parker Morse:
> On Wednesday, September 4, 2002, at 04:26  AM, Martin Moeller wrote:
> > If anyone knows of a way to make procmail write an extra little file
> > with a custom string (like the name of the recipe) to disk when
> > quanrentining, I'd like to know ;). It would be a nice extra..
> 
> Charlie's the local procmail star, but this doesn't seem like it should be 
> too challenging with some study. But what, exactly, are you trying to do? 
> You could include a line in the headers of the quarantined message 
> indicating the rule it matched. You could just output the match to the 
> procmail log, which usually happens anyway, I think. Or you could generate 
> a new, tiny file for each match, containing only the rule matched. (I 
> expect you'd want more data than that.)
> 
> Of course, this is procmail we're talking about. I've been trying to grok 
> procmail for a year now and I feel like I'm no closer than I was in 
> November.
> 
> pjm
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
-- 

Martin Moeller
Liga LinDist ApS.
Faelledvej 16D
DK-2200  Copenhagen N
Tel: +45 35 36 95 05
Fax: +45 35 36 92 05

http://www.liga.dk
mailto: martin@xxxxxxx

References:
- Re: [cobalt-security] Klez E Plague
  - From: Parker Morse

Prev by Date: [cobalt-security] Re: Raq3 Apache Open Proxy?
Next by Date: [cobalt-security] (no subject)
Previous by thread: Re: [cobalt-security] Klez E Plague
Next by thread: [cobalt-security] Re: Raq3 Apache Open Proxy?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index