[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] PWS-gen.Hooker Trojan

Subject: Re: [cobalt-users] PWS-gen.Hooker Trojan
From: "A2Z Uniforms, Inc." <sales@xxxxxxxxxxxxxxx>
Date: Mon Dec 10 20:25:04 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Sim,
The line that specifies which file types to remove or defangle is:

   *filename=".*\.(vbs|wsf|eml|shs|exe|nws|chm|pif|vbe|hta|scr)"

To add pif to the list it should look like this
   *filename=".*\.(vbs|wsf|eml|shs|exe|nws|chm|pif|vbe|hta|scr|pif)"


you need to add "pif" to the list.  NOTE that the extension string
can NOT start with the pipe sign OR end with it.  You also can not have 2
pipe signs side by side "||".  This can cause major problems.

TD

----- Original Message -----
From: "Sim Ayers" <sim@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, December 10, 2001 9:02 PM
Subject: [cobalt-users] PWS-gen.Hooker Trojan


> Our procmailrc has the typical attachement check, but the file
> images.doc.pif got through. I could use some help with the correct
> syntax for checking file attachments that have two dots in the file
> name.
>
> Sim
>
> # here's our procmailrc script.
>
###########################################################################
>
>
> #This stops a bunch of bad news attachements from coming through
> #attachments are defined in the "filename" variable
> #how to deal with them is laboriously described below
>
> :0
> *^Content-type: (multipart/mixed|application/octet-stream)
> {
>     :0 HB
>     *^Content-Disposition: (attachment|inline);
>     *filename=".*\.(vbs|wsf|eml|shs|exe|nws|chm|pif|vbe|hta|scr)"
>     {
>        SHELL=/bin/bash
>        :0 fhbw
>        |/bin/sed -e \
> 's/\([nN][aA][mM][eE]=".*\.[vV][bB][sS]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mM][eE]=".*\.[wW][sS][fF]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mN][eE]=".*\.[eE][mM][lL]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mN][eE]=".*\.[nN][wW][sS]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mM][eE]=".*\.[sS][hH][sS]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mM][eE]=".*\.[eE][xX][eE]\)"/\1.not"/' \
>                      -e \
> 's/\([nN][aA][mM][eE]=".*\.[cC][hH][mM]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mM][eE]=".*\.[pP][iI][fF]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mM][eE]=".*\.[hH][tT][aA]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mM][eE]=".*\.[vV][bB][eE]\)"/\1.txt"/' \
>                      -e \
> 's/\([nN][aA][mM][eE]=".*\.[sS][cC][rR]\)"/\1.txt"/' \
>
>
>         :0:
>         /home/tmp/crap
>          }
>         }
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

Follow-Ups:
- RE: [cobalt-users] PWS-gen.Hooker Trojan
  - From: Chris Demain

References:
- [cobalt-users] PWS-gen.Hooker Trojan
  - From: Sim Ayers

Prev by Date: RE: [cobalt-users] Raq 3/rpm question. Which rpm's to download?
Next by Date: Re: [cobalt-users] in my messages log
Previous by thread: [cobalt-users] PWS-gen.Hooker Trojan
Next by thread: RE: [cobalt-users] PWS-gen.Hooker Trojan

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index