RE: [IMail Forum] Rule Filters

Fri, 09 Mar 2001 14:07:09 -0800 

Scott, as you may have discovered, the first rule (for MIME-encoded attachments) was 
missing the double quote (") following the file extension, causing it to filter more 
attachments than just the virus-laden ones it is intended to intercept, including some 
html attachments and zips.  

The IMAIL Knowledgebase article was rewritten on Wed., 3/7/01 to correct this error.
http://support.ipswitch.com/kb/IM-19980116-DD08.htm

Also, your rules seem to be missing the * for "repeated any number of times".

Yours (ignore the !):
> B~(name=".\.vb!s|name=".\.sh!s|name=".\.sc!r):virus
> B~(Begin 6.\.vb!s|Begin 6.\.sh!s|Begin 6.\.sc!r):virus

Should read:
> B~(name=".*\.vb!s"|name=".*\.sh!s"|name=".*\.sc!r"):virus
> B~(Begin 6.*\.vb!s|Begin 6.*\.sh!s|Begin 6.*\.sc!r):virus

NOTES:
All MIME attachments are prefaced by the string 
        name="filename.ext"
(while Uuencoded attachment start with 
        begin 6nn  - where nn is variable)

Thus, to filter all MIME attachments with the extension ".ggg", we would use the rule:
        B~name=".*\.ggg":virus

where the rule components are defined as follows: 
B - Body of the message
~ - containing
name=" - the first part of the literal we're seeking
.* - followed by any characters (.) repeated any number of times (*)
\. - followed by a period
ggg" - followed by ggg"
:virus - send to the virus folder

Rules only filter the first 32K of any message.

Michael
--
Michael Ernst
Computer Systems Administrator
The Woods Hole Research Center
http://www.whrc.org

> ----------------------------------------------------------------------
> 
> From: "Scott R. Morgan" <[EMAIL PROTECTED]>
> Subject: [IMail Forum] Rule Filters
> Date: Wed, 7 Mar 2001 22:33:34 -0600
> Reply-To: [EMAIL PROTECTED]
> 
> I am filtering for ex!e, sc!r and vb!s files.  I seem to be catching other
> file though in this filter.  I am trapping zip files for one. (Obviously,
> all references here and following with ! marks need to be removed)
> 
> Here is the rule as I have it set up:
> B~(name=".\.vb!s|name=".\.sh!s|name=".\.sc!r):virus
> B~(Begin 6.\.vb!s|Begin 6.\.sh!s|Begin 6.\.sc!r):virus
> B~name=".\.ex!e":virus
> 
> The first question is why am I catching the zip files?
> 
> Thanks for the help in advance.
> 
> Scott R. Morgan
> [EMAIL PROTECTED]


Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to