I know this is a bit late but it may be useful. Below is a procmail recipe which I have called rc.attach. This enables our server to reject any attachments of various types (which we can alter by changing ONE line in the recipe.)
I found that viruses used varying methods of attaching files, so within the recipe there is differing methods of detection. Normal Attachments, Audio attachments and what I call "embedded" attachments.
Since activating it we have saved ourselves from HUNDREDS of infected messages. The rejected messages are stored in a folder on the unix server.
It is not 100% foolproof as sometimes legitimate messages can be blocked (but the sender is always sent a message informing him of this). Usually this is because the filename they have given is stupidly long (example: This is what I did on my holidays.doc). I consider putting spaces in filenames is BAD PRACTICE.
Tailor the reply message so that it includes your tech-support contact details.
I've also included a secondary file called rc.spamdump2
This is not necessarily a spam filter but it also reject messages with blank subjects, blank FROM fields etc. Sometimes it's spam, sometimes it's a virus, sometimes it's just someone being lazy.
At the end I've put the /etc/.procmailrc contents.
Remember this will be system-wide (recipies for individuals are placed elsewhere)
<< /etc/rc.attach >>
# Script to reject certain attachments. Neil Barnes
8/2/2001.
# First specify a variable to contain list of attachments
to reject.
# Essentially, ".*" means any preceding characters. "\."
followed by a dot.
# The backslash before the dot is required because the dot
is a metachar.
# Then, in brackets, the list of extensions seperated by
the pipe char.
filext=".*\.
(exe|vbs|bat|com|scr|mpg|mpe|mpeg|m1v|rm|rv|wmv|avi|qt|aif|p
if|lnk|dat|swf|chm)"
# This first rule detects messages with the forbidden
attachments and sends
# a message to the sender informing them that the message
is rejected.
# I've had to add a second rule (identical to the first) to
do the actual
# rejection (dumping into /dev/null). This is because I
couldn't get it to
# perform the sendmail function and the dumping in one
blow. Don't know why.
# .....yet!
:0
* ^Content-Type: (multipart/mixed|application/octet-stream)
{
:0 HB
* ^Content-Disposition: (attachment|inline);
* $ filename=$filext
|(/usr/bin/formail -r -i"Subject: Returned e-mail - Attachment rejected" -A"X-Loop: Extension Filter" ;
echo "*************************************" ;
echo "** This is an automated response " ;
echo "*************************************" ;
echo "** For SECURITY reasons the " ;
echo "** Your Company Limited Mail System " ;
echo "** does not accept e-mail attachments" ;
echo "** of certain types (e.g. *.exe). " ;
echo "*************************************" ;
echo "** We apologise for any inconvenience" ;
echo "** this may cause. " ;
echo "*************************************" ; )
|/usr/lib/sendmail -t
}
###################
### reject html attachments
##################
:0 HB
* $ ^begin 666 $filext
HTML
:0
* ^Content-Type: (multipart/mixed|application/octet-stream)
{
:0 HB
* ^Content-Disposition: (attachment|inline);
* $ filename=$filext
ATTACH
}
:0 HB
# reject all Audio files (embedded exe)
* ^Content-Type: audio/x-wav;
AUDIO
:0 HB
# Reject all embedded attachments
* $ name=$filext
EMBEDD
<<< end of /etc/.procmail/rc.attach >>>
<<< /etc/.procmail/rc.spamdump2 >>>
:0:
# Reject all messages with Blank "To" Fields
* ^To:[ ]*$
/dev/null
:0:
# Reject all messages with Blank "From" Fields
* ^From:[ ]*$
/dev/null
:0:
# Reject all messages with missing "From" Fields
* ! ^From:
/dev/null
:0:
# Reject all messages from hahaha (the sender of virus emails Jan2001
* ^From:.*\hahaha
/dev/null
:0h
# Reject all messages with no SUBJECT line
* ! ^Subject:
|(/usr/bin/formail -r -i"Subject: Message
Rejected" -A"X-Loop: Subject Filter" ;
cat /etc/.procmail/blanksubject.txt
|/usr/lib/sendmail -
t -F "support@yourcompany.com"
/dev/null
:0h
# Reject all messages with a Blank Subject
* ^Subject:[ ]*$
|(/usr/bin/formail -r -i"Subject: Message
Rejected" -A"X-Loop: Subject Filter" ;
cat /etc/.procmail/blanksubject.txt
|/usr/lib/sendmail -
t -F "support@yourcompany.com"
/dev/null
<< end of /etc/.procmail/rc.spamdump2 >>
<< /etc/procmailrc >>
##VERBOSE=on
PMDIR=/etc/.procmail
SHELL=/bin/sh
LOGFILE=$PMDIR/log
##MAILDIR=$HOME/mail
##INCLUDERC=$PMDIR/rc.vacation
INCLUDERC=$PMDIR/rc.spamdump2
INCLUDERC=$PMDIR/rc.attach
<< end of /etc/procmailrc >>
#############
## PS #######
#############
The file rc.spamdump2 shows the technique for including the reply message from a text file (rather than embedding the message in the recipe as in rc.attach )
