Ok, here is what I have for file attachments in a system filter,
if $header_Content-type matches
"(multipart/mixed|application/octet-stream)" then
if $message_body matches
"filename=\".*\\..*\\.(exe|ad[ep]|ba[st]|chm|cmd)\"" or
$message_body matches
"filename=\".*\\..*\\.(cpl|crt|pif|hlp|hta|in[fs]isp)\"" or
$message_body matches
"filename=\".*\\..*\\.(jse?|lnk|md[be]|ms[cipt]|pcd)\"" or
$message_body matches
"filename=\".*\\..*\\.(pcd|reg|scr|shs|vb[se]|ws[fhc])\""
then
etc..... etc....
I can't seem to get this to work with a double extension, like
somefile.txt.exe,
and would it be nice if it could find a triple as well.
