Use Procmail To Stop Viruses

If you are like me than you get tons of those virus email with an attachment each day. These are a real pain, the fill your inbox, and waste your time.

Why not just delete them on the server level before they even reach your inbox!

If you have Procmail enabled in your site just add the following, it's best to add this at the "top" since Procmail does commands in order... this should be the first one if you have others.

What is does is scan every email with an attachment that is under 150k (the viruses are like this) and if the file has the zip, exe, pif, etc extensions it deletes the email before it ever reaches you inbox.

#################################
:0
* < 150000
* ! ^Content-Type: text/plain
{
:0B
* ^(Content-(Type|Disposition):.*|[ ]*(file)?)name=("[^"]*|[^ ]*)\.(bat|cmd|com|zip|exe|js|pif|vbs|scr|wsf)
/dev/null
}
#################################

Note, if for some reason people send you EXE attachment and/or Zip files under 150k then you can removes the file extensions from the array.

Also, you can change the 150k to whatever you want but I head that scanning large attachments will use a lot resourses... besides these virus are rarely over 150k in size, most seam to be around 40K to 75K.

Hint, the procmailrc file is usually located here:

/etc/procmailrc

Here is a snippet that will delete all messages flagged as spam.


:0 h
* ^X-spam-status: Yes
/dev/null

Be very carefull with this, as you could easily have false postives with SpamAssassin.

You can also move Spam to a file for viewing later.


:0 h
* ^X-spam-status: Yes
/tmp/myspam

Again, be careful, when deleting or moving mail. Also, be sure to backup the procmailrc file, so that you can revert if needed.

You can also move Spam to a file for viewing later.


:0 h
* ^X-spam-status: Yes
/tmp/myspam

Again, be careful, when deleting or moving mail. Also, be sure to backup the procmailrc file, so that you can revert if needed.

Yes, that is a good idea to move it into another folder rather than automatically delete it, that I what I do with "suspected spam", however in my origional post, I was not talking about spam. It was a procmail script to remove email with attachments with extentions like .pif & .vbs, except for a select few there is no reason why anyone should be recieving email with these kinds of extentions, it's a virus 99.99% of the time.

If you choose to put these email in a fodler rather than delete them, make sure you have your virus definitions up to date before checking this account, or even better - set your email client to not download attachments from that account.

I am not sure about others out there but I was getting so many copies of those viruses with pif, vbs, scr file extentation that I had to do something, it was a

I've got this recipie to work.

However, some worm spam with zip files ARE getting through. It seems they are named in the form of name.zip [a great number of spaces] #numbers yet can be executed as name.zip by the operating system.