The new Swen worm is killing me. In 14 hours, I received 18 megs of this damned worm, shutting down my email account with Yahoo! I also noticed an unusually low amount of legitimate email, but I have no idea if this is a fluke or if I have a bunch of bounced emails.
I've worked out a simple script that can check, via POP3, the headers and the first $N lines of the mail and delete it if it finds an executable. On average, it'll take less than 10% of the full bandwidth. I'm currently checking to see if I can reduce that while still having a reliable test. You can run it both at home and from a server on the internet — I have it running in a cron job on my web server, which is a different server than where my mail arrives, at my ISP.
I'll post it on Perlmonks shortly. Of course, that won't do you any good if you don't have POP access to your mailbox.
Re:Not bounces
nicholas on 2003-09-21T10:47:08
I receive about 50 of them an hour, at 150k each, that's 60MB/hourCurious. That's the rate that I was recieving SOBIG.F at, but I'm seeing far fewer Swens. Whereas rafael seems to be experiencing things the same way as you. I wonder why it differs
Re:Not bounces
bart on 2003-09-21T13:24:58
For those people who usually don't visit Perlmonks, I put the script online at this node:
/^TV[nopqr]....[AB]..A.A/i REJECT Microsoft .exe file, possible virus source
/^M35[GHIJK].`..`..*````/i REJECT Signature matches Microsoft .exe file, possible virus source