procmail filter for malicious M$ Outlook

    ftp://ftp.johncon.com/john/quarantine.attachment.email.txt

    http://www.johncon.com/john/receivedIP/index.html

    :0
    * ^content-type:.*multipart/((signed)|(encrypted));
    ! quarantine@somedomain.com
    #
    ws = '[	 ]*($[	 ]+)*'
    #      ^^         ^^
    #      tab-space  tab-space
    #
    dq = '"'
    #
    ext = '(a(d[ep]|s[dx])|ba[st]|c(hm|il|md|om)|d(at|ll|o[ct])|e(ml|xe)|gif|h(lp|t(a|ml?))|ini|j(se?|pe?g)|lnk|m(d[abew]|s[ip])|ocx|p([lm]|[po]t|if|p?s|df|ng)|r(eg|tf)|s(c[rt]|h[bs])|t(xt|iff?)|vb[se]?|w(m[szd]|pd|s[cfh])|xl[swt])'
    #
    :0 B
    * -3^0
    * 4^0 $ name${ws}=${ws}${dq}.*\.${ext}(\..*)?${dq}${ws}$
    * 4^0 $ begin${ws}[0-9]+${ws}.*\.${ext}(\..*)?${ws}$
    * 4^0 $ ^content-transfer-encoding:${ws}base64
    * 2^0 \<(!doctype|html|head|title|body|style|img|bgsound|div)
    * 2^0 \<(meta|app|script|object|embed|i?frame|layer)
    * 2^0 =3d
    ! quarantine@somedomain.com