2000-05-08-12:49:54 Bill Woodcock:
...as opposed to just by subject line?
I've come up with a solution I'm using. At the moment I've only got a procmail wrapper style filter, i.e. it's an LDA, so it only fixes local deliveries. I'm hoping to figure out a way to filter everything passing through, but at the moment I'm using Postfix, and it doesn't make that easy. I'm considering switching back to qmail in hopes that the exercise is less painful there. My filter pulls in the first up-to-1MB (configurable) of the message, and then hits the entire thing with each pattern specified in a file full of PCRE regexps, in case-insensitive multiline match mode. So the first of my two current patterns: ^Content-(?:Type|Disposition): (?:.|\n\s)*name=("?)[^"]+\.(?:vbs|wsf|vbe|wsh|hta)\1 ^begin \d+ \S+\.(?:vbs|wsf|vbe|wsh|hta)$ can catch the MIME attachments, even though the Content- and the filename extension vbs occur on different lines, and the whole thing is in the message body somewhere. Messages that are too long to scan this way, or that match any of the patterns, are set aside for a separate daemon to process. That daemon (written in perl) re-tries the patterns on paragraphs of the file. Confirmed matches get quoted with "> " to keep Outlook from biting, and copies are saved for later analysis; messages that don't match the second check are passed through unchanged. The concept here is to pass through the vast majority of traffic with minimal server performance hit, and only spend more effort on the nasty few. Seems to be working OK at the moment. I'll be happy to email my code to anyone who wants it. Once I can slow down and get back to routine stuff, I'll probably put it up on sourceforge. -Bennett