Nigel Metheringham <Nigel.Metheringham@???> probably said:
> I am not a filter expert :-(, and have not tested this, but how about
> something like this as a starting point:-
>
> if ($message_body matches "^\\s+name=[A-Za-z0-9_-.]+.[vV][bB][sS]" or
> $message_body matches "^begin \\d\\d\\d .+\\.[vV][bB][sS]")
> ... then/action/endif
I'm using, so far;
if (($header_content-type MATCHES "(?i)multipart/mixed" and
($message_body MATCHES "(?i)content-type: .*(file)?name=\"?[A-Za-z0-9.-]+\\\\.vbs") or
$message_body MATCHES "(?i)\\\\s+(file)?name=\"?[A-Za-z0-9.-]+\\\\.vbs") or
$message_body MATCHES "(?i)begin \\\\d\\\\d\\\\d .+\\\\.vbs") then
freeze text "Contains a possible .vbs script"
endif
the [_-.] was failing for me, ordering problem. The range I have need
to be expanded to valid characters, I was actually thinking about
using not-white-space.
I had to add (file)? to the name section, and used (?i) to get it
caseless to avoid all the [vV] stuff.
Do people think matching on begin... is worth doing if the content-type
is not multipart/mixed ? What other content types are dangerous ?
> [NB for those following... matches does regexp comparisons... but there
> is a problem with quoting - hence the \\ in there.
I found I had to use \\\\ to get a \ in the resultant match.
> Is a ^ [beginning of line anchor] OK to use here, or does it have to
> match a previous line end character instead?]
I don't think ^ works in $message_body, since it's one large string ...
I need to go fetch my regexp book for a good answer to that one.
Any further advance on this from anyone else ?
P.
--
pir pir@??? pir@???
