Re: Procmail virus filtering

From: Jonas Anden (
Date: 12/06/01

From: Jonas Anden <>
To: Richard Garand <>
Date: 06 Dec 2001 08:11:33 +0100

> :0
> * "gone.scr"
> /var/spool/infectedmail
> I tried manually egreping the message (I saw a mention of procmail passing
> the recipe string to egrep in the manpage), and the second one matched two
> lines, so why doesn't procmail match at least the second rule?

I see three problems with the rule:

1. You need to remove the quotation marks. The actual mail doesn't
include the quotation marks (at least not on both sides of the
filename), and egrep filters out the quotation marks when it finds a
matching pair at the start and end of a regexp.

2. You are egrepping the header. By default, the rules only scan the
headers for information (this is a whole lot faster, and most of the
time this is what you want). You need to add the 'B' flag to the rule to
say 'egrep the body'.

3. In addition to that, you need to prepend the '.' with a '\'. The dot
is the 'any' key of regexp which will match anything. The string
"gone.scr" will match, but so will the string "goneascr".

Try this for a rule:

:0 B :
* name=gone\.scr"

Hint: 'man procmailrc' gives lots of tips, 'man procmailex' gives lots
of examples.

  // J

Relevant Pages

  • Re: Procmail losing mail?
    ... presumably nothing in the file itself is triggering that routine. ... Is there an extra verbose mode where procmail will inform the logfile ... In your method you are using the -s switch in egrep to suppress any output from the egrep, which makes no difference to procmail since it sends any output to /dev/null anyway when used in that mode. ... That command will compare the strings in the data pipe to regular expressions contained in the "blacklist_patterns" file. ...
  • Re: how to check for blank or missing "TO" address with procmail?
    ... one address is a catchall for all of the domains; it's this catchall account that's getting spam. ... them sneaky spammers leave the "To" and "CC" fields blank and instead "BCC" addresses like foipuas@xxxxxxxxxxx i have spam software installed and it's catching _almost_ all spam, but occasionally some get past the spam software. ... The "\/" string in the below example is specific to procmail and tells procmail to load the procmail MATCH variable with the contents of the regular expression following that mark point. ... the following recipe will load the MATCH variable with an empty string if there really is nothing in those fields. ...
  • Re: Procmail: Why are these users getting multiple copies?
    ... The idea you need is just to create an sha1 hash of the message body and combine that with the first external IP number for your id string, then rotate that through a cache file saving the last, say 500 of them. ... Here's an example (using procmail on a Linux system) ... # Set a large procmail linebuffer size so the DIGESTCACHE variable ...
  • Re: Procmail Problems
    ... On Thu, 21 Dec 2006, Matthew Benjamin wrote: ... expression means "match a string that starts with Subject followed by ... followed by zero or more characters ... procmail: Lock failure on "in.testing.lock" ...
  • Re: Multiple line match in sed
    ... > Kyle Maddison wrote: ... This is on a system which I know uses Procmail and allows egrep ... I was wondering how you would use sed without a shell anyway. ...