[Esd-l] Catching email based on subject

Paul Ferwerda paul at ferwerda.net
Sun Jan 5 18:26:01 PST 2003


I realize that this is probably a really dumb question, but we've got email
over SSL and we're getting email with the following sorts of headers which
takes forever to download: Subject: W32.Klez.E removal tools MIME-Version: 1.0
X-Security: MIME headers sanitized on srv01.mxtabs.net See
http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision:
1.137 $Date: 2002-12-22 16:59:17-08 Content-Type: multipart/alternative;
boundary=A2FH43M0r9q5W90aUN297sSt X-Status: X-Keywords: X-UID: 28
--A2FH43M0r9q5W90aUN297sSt Content-Type: text/html; Content-Transfer-Encoding:
quoted-printable  Sophos give you the very W32.Klez.E removal tools
W32.Klez.E is a very dangerous virus that spread through email.

For more information,please visit http://www.Sophos.com
--A2FH43M0r9q5W90aUN297sSt Content-Type: TEXT/PLAIN; X-Content-Security:
[srv01.mxtabs.net] REPORT: Attachment "install.exe" stripped
Content-Description: SECURITY NOTICE SECURITY NOTICE: The mail system has
removed a file attachment from this message. The attachment has been
discarded. Please contact your system administrator for details. Filename:
install.exe --A2FH43M0r9q5W90aUN297sSt --A2FH43M0r9q5W90aUN297sSt
Content-Type: application/octet-stream; name="Yosemite.jpg" Content-ID:
Content-Transfer-Encoding: base64
/9j/4AAQSkZJRgABAgEASABIAAD/7RFWUGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAJkcAgAA
....and the rest of the file... I don't want to have to download an email
containing that stuff. What is the best way to set up a rule in my
local-rules.procmail in order to intercept that sort of message? or Subject:
Undeliverable mail--"Enlarge Photo" MIME-Version: 1.0 X-Security: MIME headers
sanitized on srv01.mxtabs.net See
http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision:
1.137 $Date: 2002-12-22 16:59:17-08 Content-Type: multipart/alternative;
boundary=Yzi73p2FhKyz24k407Z4OX9L6448g Date: Fri, 3 Jan 2003 06:29:10 -0500
X-Status: X-Keywords: X-UID: 14 --Yzi73p2FhKyz24k407Z4OX9L6448g Content-Type:
text/html; Content-Transfer-Encoding: quoted-printable  The following mail
can't be sent to info at edjoin.org:

From: mxtabs at mxtabs.net
To: info at edjoin.org
Subject: Enlarge Photo
The attachment is the original mail --Yzi73p2FhKyz24k407Z4OX9L6448g
Content-Type: TEXT/PLAIN; X-Content-Security: [srv01.mxtabs.net] REPORT:
Attachment "Zoj.bat" stripped Content-Description: SECURITY NOTICE SECURITY
NOTICE: The mail system has removed a file attachment from this message. The
attachment has been discarded. Please contact your system administrator for
details. Filename: Zoj.bat --Yzi73p2FhKyz24k407Z4OX9L6448g
--Yzi73p2FhKyz24k407Z4OX9L6448g Content-Type: application/octet-stream;
name="206386878.110693889.IM1.MAIN.240x1 80_A.240x160[1].jpg" Content-ID:
Content-Transfer-Encoding: base64
/9j/4AAQSkZJRgABAQEASABIAAD/4SNnRXhpZgAATU0AKgAAAAgACAEPAAIAAAAWAAABsgEQ
...etc. Thanks! Paul



More information about the esd-l mailing list