# # Procmail Script to Quarantine Malicious Microsoft Outlook(r) Attachments # # Read this file into your .procmailrc with a line of the form: # INCLUDERC=viriirc.txt # ext = '(a(d[ep]|r[cj]|s[dmxp]|u|vi)|b(a[st]|mp|z[0-9]?)|\ c(an|hm|il|lass|md|om|(p[lp]|\+\+)?|rt|sv)|d(at|e?b|ll|o[ct])|\ e(ml|ps?|xe)|g(if|z?)|h(lp|t(a|ml?)|(pp|\+\+)?)|i(n[cfis]|sp)|\ j(ava|pe?g|se?|sp|tmpl)|kbf|l(ha|nk|og|yx)|\ m(d[abew]|p(e?g|[32])|s[cipt])|ocx|\ p(a(tch|s)|c[dsx]|df|h(p[0-9]?|tml?)|if|[lm?]|n[gm]|[po][st]|p?s)|\ r(a[mr]|eg|pm|tf)|s(c[rt]|h([bs]|tml?)|lp|ql|ys)?|\ t(ar|ex|gz|iff?|xt)|u(pd|rl|x)|vb[es]?|\ w(av|m[szd]|p(d|[0-9]?)|s[cfhz])|x(al|[pb]m|l[stw])|z(ip|oo))' ws = '[ ]*($[ ]+)*' dq = '"' # This script is based on John Conover's quarantine.outlook.attachments.txt. # Almost nothing below here is the same as the original, except the license. lq = "${dq}?" rq = "(${dq}|[^-.a-z0-9_]|$)" exe = '(ba[st]|c(om|pl)|exe|ocx|pif|s(cr|ys)|vb[es]?|wsz)' QUARANTINE # Check for the dangerous extensions in the top-level MIME headers, # or in what looks like a uuencoded block anywhere in the body. :0 * $ ^content-(type|disposition):.*name${ws}=${ws}\/${lq}.*\.${ext}${rq} { QUARANTINE="Top-level: $MATCH" } :0BE * $ ^begin${ws}[0-9]+[^0-9]${ws}\/.*\.${ext}${ws}$ { QUARANTINE="UUencoded: $MATCH" } # Check multiparts for embedded attachments with dangerous extensions :0E * $ ^content-type:${ws}\/(multipart/.*|message/rfc822) { TYPE=$MATCH # If an embedded file has a double extension or an executable extension, # it's probably a virus/worm :0B * $ ^content-(type|disposition):.*name${ws}=${ws}${lq}.*\/\.(${exe}|...\.${ext}) { QUARANTINE="Extension: $MATCH" } # Else if it has an application attachment with a dangerous name and # also an HTML attachment with potentially dangerous tags, it's unsafe :0 BE * -3^0 * 2^0 $ TYPE ?? (alternative|parallel|related) * 2^0 $ ()<${ws}\/(app|bgsound|embed|i?l(ayer|ink)|i?frame(set)?|object|script) * 2^0 $ ^content-type:${ws}application/(.|^)*name${ws}=${ws}\/${lq}.*\.${ext}${rq} { QUARANTINE="Multipart: $MATCH" } } # The regex here is to strip any trailing newline that may be in $QUARANTINE :0 * QUARANTINE ?? ()\/.+ { LOG="Quarantine: $MATCH " # Conover's original script was designed to forward to a quarantine address. # If you uncomment this recipe (be sure to change this example address), the # rest of the script below is skipped. #:0 #! quarantine@somedomain.com LINEBUF=10240 SUBJECT=`formail -xSubject:` BOUNDARY="__$$QUARANTINE$$__" HEADER=`formail -XTo: -XCc: -XReply- -XResent- -XMessage-ID: -XDate: -XFrom: | formail -I"Subject: (QUARANTINE)$SUBJECT" -I"MIME-Version: 1.0" -I"Content-Type: multipart/mixed; boundary=$BOUNDARY"`" " TEXTPART="--$BOUNDARY Content-Type: text/plain This message has been quarantined by wrapping in a MIME multipart because it contains a potentially dangerous attachment. View the enclosed message at your own risk and only if you are confident that it is not a threat. REASON: $MATCH " MSGPART="--$BOUNDARY Content-Type: message/rfc822 Content-Disposition: attachment " :0fW | ( echo "$HEADER$TEXTPART$MSGPART"; formail -I"From "; echo "--$BOUNDARY--" ) } ###################################################################### # # A license is hereby granted to reproduce this software for personal, # non-commercial use. # # ---------- # In <20020523205216.5120.qmail@john.johncon.com>, John Conover wrote: # Hi Bart. Sure. The attorneys have to write their code, too. You can # use it for whatever you want, including modifying it, and distributing # it. # ---------- # # THIS PROGRAM IS PROVIDED "AS IS". THE AUTHOR PROVIDES NO WARRANTIES # WHATSOEVER, EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF # MERCHANTABILITY, TITLE, OR FITNESS FOR ANY PARTICULAR PURPOSE. THE # AUTHOR DOES NOT WARRANT THAT USE OF THIS PROGRAM DOES NOT INFRINGE THE # INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY IN ANY COUNTRY. # # So there. # # Copyright (c) 2001-2002, John Conover, , All Rights # Reserved. # # $Revision: 1.0 $ # $Date: 2002/05/21 20:19:16 $ # $Id: quarantine.outlook.attachments.txt,v 1.0 2002/05/21 20:19:16 conover Exp $ # $Log: quarantine.outlook.attachments.txt,v $ # Revision 1.0 2002/05/21 20:19:16 conover # Initial revision # # ---------- # Copyright (c) 2002 Barton E. Schaefer # # NO WARRANTY # # THIS PROGRAM IS PROVIDED FREE OF CHARGE. THERE IS NO WARRANTY # FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN # OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES # PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED # OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS # TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE # PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, # REPAIR OR CORRECTION. # # IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING # WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR # REDISTRIBUTE THE PROGRAM, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY # GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE # USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS # OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU # OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER # PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE # POSSIBILITY OF SUCH DAMAGES. #