Filtering Dangerous Microsoft Windows Attachments

Nearly all of today's Windows viruses are propagated between PCs via email attachments. In the past, one was able to use the simple rule that if you received an attachment from a stranger, you shouldn't open it. Nowadays, viruses search an infected PCs Microsoft Outlook addressbook (among other files) and sends a copy of itself with a forged "from" address. The end result is that Windows users can no longer easily tell whether its safe to open attachments because they now appear to come from people they know. That's why anti-virus software is now a necessity for people that use Windows-based mail clients such as Eudora, Netscape, and most especially Outlook.

One solution to this problem is filtering out the most common and most threatening attachment types before they even reach Windows. On ECEnet, the mail servers are all running UNIX or Linux, so are inherently invulnerable to viruses. Using procmail, one can easily move any incoming message that contains obviously dangerous attachments into a quarantine mailbox for later perusal and removal by the user.

To automatically start filtering .exe, .com, .pif, and .scr attachments, simply download the procmail code and place it at the top of your ~/.procmailrc file. If you don't already have a ~/.procmailrc file, create one.

Final, important note. These filters do not delete messages with attachments; they simply automatically move them to a mailbox named VIRUSES. This mailbox must periodically be checked and erased! If you don't understand what that means or how to do it, please either contact root for help or do not set up these filters.

2145 Sheridan Road . Evanston / IL . 60208
Phone: 847-491-8140 . FAX: 847-491-4455
webmaster@ece.northwestern.edu

Copyright © 2003 Northwestern University § All rights reserved § Tue Apr 20 13:34:01 CDT 2004