Mailing List Archive

I wanted to write a rule to block emails with certain file attachments like
PIF, SCR, EXE... Kind of a poor man's AVS.

But I couldn't figure out how to do it. Seems like the rawbody tests exclude
the Mime headers from regexp pattern matching.

SOOO I hacked EvalTests.pm and made it work. May not be elegant, and there's
probably a simpler solution - BUT it does work. Here's what I did:

1) sub _check_mime_header {
At the very bottom, add:

if ($name && $ctype eq "application/octet-stream") {
# MIME_BAD_FILE_ATTACH triggered here
$name =~ s/.*\.//;
if (
($name eq "pif") ||
($name eq "scr") ||
($name eq "bat") ||
($name eq "com") ||
($name eq "exe")
)

{
$self->{mime_bad_file_attach} = 1;
}
}


2) sub _check_attachments {
In the #results area, add near things like it

$self->{mime_bad_file_attach} = 0;


3) In one of your rules, add:

rawbody MIME_BAD_FILE_ATTACH eval:check_for_mime('mime_bad_file_attach')
describe MIME_BAD_FILE_ATTACH PIF/SCR/BAT/COM/EXE file attached
score MIME_BAD_FILE_ATTACH 200.00

P.S.
We run SA under milter-spamd on our incoming relay.
If you run sendmail, check out Anthony Howe's wonderful milter-ware at
http://www.snert.com/Software/index.html