My blog posting Filtering Mydoom/Novarg worm with procmail has proven to be one of the most popular pages on this web site.
Since then we have created a few more simple procmail rules to catch the few emails that are still gettng through our spam filters. Also the virus attachment rules have been tightened up to stop false positives with some of ebay’s emails. These rules redirect to /dev/null – effectively deleting the files.
If you don’t wish to delete the emails you can change this to a file somewhere on you server. If this is for a personal procmailrc file, you could even send them to your own spam file (ie ./spam or ./mail/spam )
# Redirect common virus attachments inc. zipped versions
:0 B
* name=.*(document|readme|doc|text|file|data|test|message|body)\.(vbs\"|wsf\"|vbe\"|wsh\"|hta\"|scr\"|pif\"|exe\"|shs\"|ba
t\"|bas\"|cmd\"|zip\")
{
:0
/dev/null
}
# Some more common virus attachments inc. zipped versions
:0 B
* name=.*(Attach|Information|Readme|Document|Info|TextDocument|Textfile|MoreInfo|Message)\.(pif\"|zip\")
{
:0
/dev/null
}
# Redirect windows executables (note - haven\'t included exe and com
:0 B
* name=.*\.(vbs\"|wsf\"|vbe\"|wsh\"|hta\"|scr\"|pif\"|shs\"|bat\"|bas\"|scr\"|dll\")
{
:0
/dev/null
}
# This one finds them annoying Custom Logo spams that seem to get past most filters
:0 B
* .*out\.php\?email\=(sales|info)\@
{
:0
/dev/null
}
# This catches about 99% of deliberate viagra mispellings ie v1@GRa, v1agr@ etc
:0 H
* ^Subject.*[Vv][1jl\|][aA\@][Gg][Rr][Aa\@]
{
:0
/dev/null
}