Re: [Evolution] Filter not filtering....

Here's an improved version of this script.  It will also flag messages
containing in uuencoded messages, such as the ECAR message that Nessus
sends out:

cat     | egrep -i -e "^content-" -e "^begin[[:space:]][0-9][0-9][0-9][[:space:]]" \
        | egrep -i -e '\.exe' -e '\.pif"' -e '\.com' -e '\.bat' 2>&1 \
        >> /dev/null
exit $?

Does anyone who knows more about the uuencode format have any
suggestions for making it more restrictive in what it will flag?  I was
only working off of one example.

Between this script and clamav, it looks like I should get 'em all. 
(ClamAV doesn't look at uuencoded attachments as near as I can tell.)


On Tue, 2003-11-04 at 09:49, John Harlow wrote:
 I have bogofilter in place which puts my spam into a separate folder,
but I also have put a simple shell filter in place to separate out all
of these bogus MS security/virus emails that come in on my accounts and
them as they arrive.

The filter is just a shell and looks like this:

cat |egrep -i "^content-"| egrep -i -e '\.exe' -e '\.pif"' -e '\.com' -e
'\.bat' 2>&1 >> /dev/null
exit $?

The exit code of the second egrep is the exit status of the shell.
(There's probably a nicer regexp that would eliminate the need for two
egreps, but this is at the quick & dirty stage right now.)

My evolution filter verifies that the email has an attachment and if so,
runs the shell command on it. If the return is 0, it deletes the
message. Here is the rule.

    <rule grouping="all" source="incoming">
        <part name="attachments">
          <value name="match-type" type="option" value="exist"/>
        <part name="pipe">
          <value name="command" type="command">
          <value name="retval-type" type="option" value="is"/>
          <value name="retval" type="integer" integer="0"/>
        <part name="delete"/>
        <part name="stop"/>

The odd thing is that this rule is much earlier in the stack than my
bogofilter rule. When email is checked, these emails end up in my spam
folder (per bogofilter.)

If I then select and right-click on these 'infected' emails and apply
filters, this filter fires and the email is deleted.

Why would it work manually, but not when the email is being received.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]