EUDORA SPAM FILTER 01
Identifying Dangerous Attached File Types
 

This filter is intended to clearly  identify  incoming email with files attached having the specified extensions, EVEN IF they're from someone you know. Since certain file extension types are commonly used to transmit viruses, this is one way to catch those problem attachments and identify them on arrival (assuming your virus scanner software didn't pick them up first). This filter must be placed at the top of the filter list, ahead of the passlist filter to work correctly. If you have a properly configured and up to date virus scanner running,  this filter may be redundant, but it offers an extra measure of protection against any brand-new virus attachments that arrive in your email before your virus scanner software gets updated. This filter will identify files that contain double extensions, such as "a_virus.jpg.exe" as well as regular single extension names.

Updated 7/08/03 -  It is recommended that you allow email identified by this filter to go to your inbox for special handling. You might be expecting the attached files, for example, or your friends and family might write to you and include the phrase "attachment converted" somewhere in their email to you, which will result in a positive match to this filter. If any case, you should never open the email attachment without first scanning it with an up to date virus scanning program.

The file type extensions show here in the filter are not all-inclusive, but are probably the worst of the lot.

 

Match:	Incoming and Manual (apply this filter to incoming or manually filtered email)
Header	«Body» (Check the message body of the email only, and not any headers)
Verb:	regexp (case insensitive) (regular expression, not case sensitive)
Value:	attachment converted.*\.(exe|com|pif|bat|scr|vbs|lnk|swf|hta)
Actions:	Make Label 2
	Skip Rest  (Don't check this message against the rest of the filters)

What it means: This filter uses the "regular expression" verb and looks for the phrase "attachment converted" in the body of an email. This phrase is present if there is an attachment*. Then it continues through the text until it finds a period "\." followed by one of "exe" or "com" or "pif"  or "bat" or "scr" or "vbs" or "lnk" or "swf" or "hta".

Click here for more information on the "regexp(case insensitive)" verb.

Example of text this will find:
  "Attachment Converted: "D:\Qualcomm\Eudora\attach\simple_doc.exe""

NOTES*
1) The vertical bar character "|" stands for "or", and is located on your keyboard above the "\", (it may appear on the keyboard to be split in the center) - so to make this character just press <shift> and a backslash "\".
2) Although the phrase "attachment converted" is contained within the body of the email, if  you use the "Use Microsoft's Viewer" option (as I do) it won't show up in the email view source window. To see it you either must temporarily uncheck the "Use Microsoft's Viewer" option and then do a "view source" on the email, or else open the appropriate mailbox file ("In.mbx" for example) with Notepad or similar text editor. This filter will find the phrase no matter which viewer option you use, however.
3) Obviously, if someone writes to you and uses the phrase "attachment converted" in their email, any following instances of ".com" (such as an email address) or any of the other filtered extensions will result in a false-positive hit. For this reason it is recommended to allow these emails to go to your inbox for manual sorting.

The " Make Label " action gives these messages a red label that you've named something like "VIRUS!?"  -  very handy for quickly identifying at a glance which messages may have dangerous attachments.