mpartinfo2hdr - Pipe script for filtering mail by attachment properties

written by Jarno Elonen <elonen@iki.fi>, 2003-2004, released in Public Domain

mpartinfo2hdr is a simple Python script that:

The point of the program is to make it possible to write attachment based filtering rules to mail readers that don't support it natively. The script now also looks into zip files so you can try to spot zipped viruses.

Download mpartinfo2hdr.py!

The added header fields look like this:

X-Msg-Part-Info: attachment; size="106496";
  md5sum="b09e26c292759d654633d3c8ed00d18d";
  claimedmime="audio/x-wav"; name="gvzvfszn.exe";
  guessedmime="application/x-dosexec"

another example with multiple parts, one being a zip file:

X-Msg-Part-Info: partinfo; zipcontent; name; guessedmime="text/plain;
        charset=iso-8859-1"; md5sum="a16ee1b0cbccf0f051504a70a328753a";
        claimedmime; size="185"
X-Msg-Part-Info: partinfo;
        zipcontent="'p-zipped_file_data .pif':CRC3984058962 ";
        name="your_docs.zip"; guessedmime="application/x-zip";
        md5sum="106034591fafa6d70b739598a1a43753";
        claimedmime="application/octet-stream"; size="49821"

Example filtering rules

For Procmail

# =========================
# Virus attachment check
# =========================
:0 fw
* < 512000
| /home/jarno/bin/mpartinfo2hdr

# Newline variable for logging
NL="
"

# Msg-Part-Info fields are usually split along
# several lines so extract (-x) and rejoin (-c)
# them with formail
:0 h
MSGPARTINFO=| formail -c -x"X-Msg-Part-Info:"

# Delete W32/Swen@MM virus messages
:0
* MSGPARTINFO ?? md5sum="b09e26c292759d654633d3c8ed00d18d
{
    LOG="${NL}VIRUS CHECK: certain virus: W32/Swen@MM${NL}"
    :0
    /dev/null
}

# Delete another Swen variant
:0
* MSGPARTINFO ?? md5sum="9d4f624495fb078d4aad32901a1bdf52
{
    LOG="${NL}VIRUS CHECK: certain virus: W32/Swen variant${NL}"
    :0
    /dev/null
}

# Delete W32/Sober.g@MM (zipped virus)
:0
* MSGPARTINFO ?? zipcontent="'.*':CRC3984058962
{
    LOG="${NL}VIRUS CHECK: certain W32/Sober.g@MM virus${NL}"
    :0
    /dev/null
}

# Move probable virus mail to probable-virus folder (1)
:0
* MSGPARTINFO ?? guessedmime="application.x-dosexec
{
    LOG="${NL}VIRUS CHECK: contains a DOS exe, probably virus${NL}"
    :0
    mbox-virus
}

# Move probable virus mail to probable-virus folder (2)
# This is different from the above rule because sometimes
# mail gateways nullify the content of virus attachments,
# making guessedmime report 'application/x-empty'.
:0
* MSGPARTINFO ?? ! claimedmime="application
* MSGPARTINFO ?? name="[^"]*\.(exe|com|pif|scr|vbs)"
{
    LOG="${NL}VIRUS CHECK: lies about not being an exec, probably virus${NL}"
    :0
    mbox-virus
}

# Clean up
:0 fw
| formail -I "X-Msg-Part-Info:"

For Kmail

  1. Add the headers:

    If 'To' doesn't equal 'MATCH_FOR_ALL' then 'pipe through' '/home/jarno/bin/mpartinfo2hdr' and don't stop if this rule matches

  2. Delete certain virus mail:

    If 'any header' matches regexp 'X-Msg-Part-Info:.*b09e26c292759d654633d3c8ed00d18d' then move to trash (the long hex string is MD5 sum of the W32/Swen@MM virus)

  3. Move away probable virus mail:

    If 'any header' matches regexp 'X-Msg-Part-Info:.*guessedmime="application.x-dosexec"' or 'any header' matches regexp 'X-Msg-Part-Info:.*name="[^"]*\.pif".*' then 'move to folder' 'xx_spam/virus'

For spam filtering I recommend the excellent Spamassassin.