# # Procmail Script to Quarantine Malicious Microsoft Outlook(r) # Attachments # ext='(a(d[ep]|r[cj]|s[dmxp]|u|vi)|b(a[st]|mp|z[0-9]?)|c(an|hm|il|lass|md|om|(p[lp]|\+\+)?|rt|sv)|\ d(at|e?b|ll|o[ct])|e(ml|ps?|xe)|g(if|z?)|h(lp|t(a|ml?)|(pp|\+\+)?)|i(n[cfis]|sp)|\ j(ava|pe?g|se?|sp|tmpl)|kbf|l(ha|nk|og|yx)|m(d[abew]|p(e?g|[32])|s[cipt])|ocx|\ p(a(tch|s)|c[dsx]|df|h(p[0-9]?|tml?)|if|[lm?]|n[gm]|[po][st]|p?s)|r(a[mr]|eg|pm|tf)|\ s(c[rt]|h([bs]|tml?)|lp|ql|ys)?|t(ar|ex|gz|iff?|xt)|u(pd|rl|x)|vb[es]?|\ w(av|m[szd]|p(d|[0-9]?)|s[cfh])|x(al|[pb]m|l[stw])|z(ip|oo))' ws = '[ ]*($[ ]+)*' dq = '"' eol='$' # :0 * 1^0 $ ^content-type:${ws}(multipart/(mixed|alternative|application|signed|encrypted))|(application/) * 1^0 $ ^content-disposition:${ws}attachment;${ws}.*name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}${eol} * 1^0 $ ^content-transfer-encoding:${ws}base64 ! quarantine@somedomain.com # :0 BE * -3^0 * 4^0 $ name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}${eol} * 4^0 $ begin${ws}[0-9]+${ws}.*\.${ext}(\..*)?${ws}${eol} * 4^0 $ ^content-type:${ws}application/ * 4^0 $ ^content-transfer-encoding:${ws}base64 * 2^0 [<](!doctype|[sp]?h(tml|ead)|title|body) * 2^0 [<](app|bgsound|div|embed|form|i?l(ayer|ink)|img|i?frame(set)?|meta|object|s(cript|tyle)) * 2^0 =3d ! quarantine@somedomain.com # ###################################################################### # # A license is hereby granted to reproduce this software for personal, # non-commercial use. # # THIS PROGRAM IS PROVIDED "AS IS". THE AUTHOR PROVIDES NO WARRANTIES # WHATSOEVER, EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF # MERCHANTABILITY, TITLE, OR FITNESS FOR ANY PARTICULAR PURPOSE. THE # AUTHOR DOES NOT WARRANT THAT USE OF THIS PROGRAM DOES NOT INFRINGE THE # INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY IN ANY COUNTRY. # # So there. # # Copyright (c) 1992-2005, John Conover, , All Rights # Reserved. # # $Revision: 1.0 $ # $Date: 2005/03/11 22:52:09 $ # $Id: quarantine.outlook.attachments.txt,v 1.0 2005/03/11 22:52:09 conover Exp $ # $Log: quarantine.outlook.attachments.txt,v $ # Revision 1.0 2005/03/11 22:52:09 conover # Initial revision #