On 05/02/2014 00:21, Stephan Bosch wrote:
Hi,
On 1/30/2014 7:50 PM, Tim Dickson wrote:
is there any chance of rfc5703 (mime support/extension) being added to pigeonhole? There are plans for that, but there is no concrete timeline. hopefully soon :-) I am trying to filter mail with .exe and .zip attachments, to no success.
I can't use body because that doesn't include the mime headers, so the only way I can see is to use mime (aka rfc5703) I am using dovecot 2.1.8 with pigeonhole 0.3.3 (and am about to use dovecot 2.2.9 with pigeonhole 0.4.2 on another server) If I'm just missing the point, or there is already support, please point me in the right direction. You only need to test for the existence of certain attachments:
require "body"; require "relational"; require "fileinto";
if body :count "gt" :content "application/x-zip-compressed" "0" { fileinto "Zip"; } else { fileinto "NoZip"; }
This tests whether there are more than zero message parts with content-type "application/x-zip-compressed".
Regards,
Stephan.
many thanks for the reply.
I did previously try body :raw :contains ["application/x-zip-compressed","application/x-silverlight"],
which catches zip and scr files, but, does nothing for exe files (or pif ones). both of which share types with other file types. The ideal would be to scan the "filename" part of the attachment header. The line below does that roughly by brute force.
body :raw :regex ["filename=.*\.exe","filename=.*\.pif","filename=.*\.scr","filename=.*\.zip"]
This would let me test for other sorts of attachment easily as well.
Unless the :content test included filename, which rfc5173 doesn't seem to mention, :content does not let me identify exe as distinct from bin, class, dll, dmg,dms, lhs,lza .. etc. as they all have the same content type. It also doesn't help with pif files (which I didn't mention earlier, but are also common for malware) and which have a content type of text/plain with base64 encoding, which is odd for what amounts to a binary with executable capability.
hopefully, the :mime support will come soon :-) regards, Tim