[Esa-l] Stopping Hybris via. global /etc/procmailrc

John D. Hardin jhardin at wolfenet.com
Mon Jan 8 21:10:05 PST 2001

On Mon, 8 Jan 2001, Brett Glass wrote:

> What I'd prefer to the recipe you posted is something that hooks into 
> the existing quarantining mechanism; -- a way of creating "add-on"
> filters that use the same variables I've set up for John's sanitizer. So,
> if I've defined a quarantine file or a person to notify in /etc/procmailrc, 
> the message can be sent there without more programming. I'd also like
> to keep the recipe in a separate file, so that things are modular.

Hmmm.... {tinkers a bit}

The notification and quarantine responses key off X-Content-Security
headers inserted into the message. Here's one possible way to dowhat
you want:

Put the following into (say) /etc/procmail/local-rules.procmail

# Detect Hybris when sent as an anonymous message.
:0 i
* > 31000
* < 36000
* !^Subject:
* ^Content-Type: multipart/mixed; boundary="--VE
	:0 B hf
	* ^Content-Type: text/plain; charset="us-ascii"
	* ^Content-Disposition:.*\.EXE
	* ^Content-Type:.*\.EXE
	* ^SiXLG3Lv\+wdKT1hwcrOTfD7rduGAY5LvseJ7
	| formail -A "X-Content-Security: NOTIFY" \
	          -A "X-Content-Security: QUARANTINE" \
	          -A "X-Content-Security: REPORT: Anonymous Hybris" 

Then change /etc/procmailrc to be:


If local-rules detects something and inserts X-Content-Security
headers, the sanitizer will quarantine/notify/etc. the message.

(untested, of course)

Comments solicited.

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  It's easy to be noble with other people's money.
                                  -- John McKay, _The Welfare State:
                                     No Mercy for the Middle Class_
   1394 days until the Presidential Election

More information about the esd-l mailing list