[Esa-l] Stopping Hybris via. global /etc/procmailrc

John D. Hardin jhardin at wolfenet.com
Mon Jan 8 21:10:05 PST 2001

On Mon, 8 Jan 2001, Brett Glass wrote:

> What I'd prefer to the recipe you posted is something that hooks into 
> the existing quarantining mechanism; -- a way of creating "add-on"
> filters that use the same variables I've set up for John's sanitizer. So,
> if I've defined a quarantine file or a person to notify in /etc/procmailrc, 
> the message can be sent there without more programming. I'd also like
> to keep the recipe in a separate file, so that things are modular.

Hmmm.... {tinkers a bit}

The notification and quarantine responses key off X-Content-Security
headers inserted into the message. Here's one possible way to dowhat
you want:

Put the following into (say) /etc/procmail/local-rules.procmail

# Detect Hybris when sent as an anonymous message.
:0 i
* > 31000
* < 36000
* !^Subject:
* ^Content-Type: multipart/mixed; boundary="--VE
	:0 B hf
	* ^Content-Type: text/plain; charset="us-ascii"
	* ^Content-Disposition:.*\.EXE
	* ^Content-Type:.*\.EXE
	* ^SiXLG3Lv\+wdKT1hwcrOTfD7rduGAY5LvseJ7
	| formail -A "X-Content-Security: NOTIFY" \
	          -A "X-Content-Security: QUARANTINE" \
	          -A "X-Content-Security: REPORT: Anonymous Hybris" 

Then change /etc/procmailrc to be:


If local-rules detects something and inserts X-Content-Security
headers, the sanitizer will quarantine/notify/etc. the message.

(untested, of course)

Comments solicited.

