[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Klez E Plague
- Subject: Re: [cobalt-security] Klez E Plague
- From: Martin Moeller <martin@xxxxxxx>
- Date: 05 Sep 2002 13:13:13 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Right, I could probably add an extra header. Somehow that thought didn't
come to me.
The thing I had imagined was that when a particular recipe matched,
besides the msg.XXXX file it yould have, say a match.XXXX file with a
line of text you define in the procmailrc file. This is of course
servered pretty much as well by an X-Procmail-AV: header or something.
That requires invoking formail, right? Much like they do here:
http://alcor.concordia.ca/topics/email/auto/procmail/spam/tag.html
Procmail is certainly powerful but it is very hard to get to the
advanced stuff, I think. Matching a couple of things and dumping the
message to a predefined location is pretty easy now, but for instance
the procmail rule to return a requested file upon receipt I would not
have conceived if it wasn't in the procmail book.
My slightly modified version of that follows, to illustrate my point :)
:0
* ^Subject: send file [0-9].*/msg\..*
* !^Subject:.*Re:
* !^FROM_DAEMON
{
MAILDIR=/home/virusdump/processed/ # chdir to the fileserver directory
:0 fhw # reverse mailheader and extract name
* ^Subject: send file \/[^ ]*
| formail -r
FILE="$MATCH" # the requested filename
MyFROM=`formail -x to`
:0 ah
| cat - ./$FILE 2>&1 | /usr/sbin/sendmail -oi $MyFROM
.
}
I can pretty much see what's going on but would not have been able to
come up with it by myself. I think I will look into the header thing a
bit more. Thanks :)
ons, 2002-09-04 kl. 15:06 skrev Parker Morse:
> On Wednesday, September 4, 2002, at 04:26 AM, Martin Moeller wrote:
> > If anyone knows of a way to make procmail write an extra little file
> > with a custom string (like the name of the recipe) to disk when
> > quanrentining, I'd like to know ;). It would be a nice extra..
>
> Charlie's the local procmail star, but this doesn't seem like it should be
> too challenging with some study. But what, exactly, are you trying to do?
> You could include a line in the headers of the quarantined message
> indicating the rule it matched. You could just output the match to the
> procmail log, which usually happens anyway, I think. Or you could generate
> a new, tiny file for each match, containing only the rule matched. (I
> expect you'd want more data than that.)
>
> Of course, this is procmail we're talking about. I've been trying to grok
> procmail for a year now and I feel like I'm no closer than I was in
> November.
>
> pjm
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
--
Martin Moeller
Liga LinDist ApS.
Faelledvej 16D
DK-2200 Copenhagen N
Tel: +45 35 36 95 05
Fax: +45 35 36 92 05
http://www.liga.dk
mailto: martin@xxxxxxx