All the Perl that's Practical to Extract and Report

Scary counter

ethan on 2003-09-19T09:18:41

Right now I am pretty badly hit by the new Swen virus (formerly known as W32.Gibe). Our university mail-server doesn't yet cut out the offending attachments so I received around 200 mails this night, each around 140K in size. :-(

I have now stopped fetchmail and set up a little script employing Mail::POP3Client that rigidly deletes anything looking like spam and Swen on the server. I've stopped worrying about false positives for now.

Swen-infected machines increment a webcounter. Hit "reload" occasionally and see the number increase.

POP3 chainsaw

rafael on 2003-09-19T09:50:47

Could you post your script ?
I didn't receive a lot of Sobig crap, but this one is hitting me pretty badly.

Re:POP3 chainsaw

ethan on 2003-09-19T10:39:43

Yup, can do. The raw version follows.
Right now I switched to manual mode. If you modify the outcommented if-conditions a little to suit your specific flavour of mails, you could run it as yes | killmail USER PASS.

If these mails continue to exist tomorrow, I'll refine the script and let it run as cronjob. I am sick of the current situation. I hope the mail-server admins quickly come up with a server-side solution.



#! /usr/bin/perl -w

use strict;
use Mail::POP3Client;

my ($user, $pass) = @ARGV;

REDO:

my $pop = Mail::POP3Client->new(
        USER => $user,
        PASSWORD => $pass,
        HOST => 'mailbox.rwth-aachen.de',
);

print "Num message: ", $pop->Count, "\n";

for my $i (1 .. $pop->Count) {
        my @head = $pop->Head($i);
        my %split;
        for (@head) {
                my ($f, $d) = split /: /, $_, 2;
                $split{ $f } = $d;
        }
        # if ($split{ From } =~ /Microsoft/i or
        # $split{ From } =~ /\bMS\b/ or
        # $split{ Subject } =~ /SPAM/) {
                print $split{ Subject } || "<none>", "\n";
                print "Delete (y/n)?";
                chomp (my $input = <STDIN>);
                $pop->Delete($i) if "yes" =~ /$input/;
                print "\n";
        # }
}
$pop->Close;

sleep 60;
goto REDO;

Re:POP3 chainsaw

bart on 2003-09-21T19:12:19

May I point (again) to the script I posted on Perlmonks earlier today? Based on a different POP3 module (Net::POP3) and rather different in check rule: it checks for a MIME section that has the file name of a Windows executable. my script

Re:POP3 chainsaw

ethan on 2003-09-21T20:25:50

That would have saved me some trouble if I had known it earlier. Right now the worst seems to be survived. I still receive around a hundred of these mails per hour, but my university's mailserver rips off the attachment so the mails' size has shrunken to a tolerable size. That means that I can't check the MIME section any longer either.

I eventually solved it with a few procmail rules. The To: line of these mails always consists of words chosen randomly from a set of nine words. So I just have to check for these words to filter them out reliably.

Re:POP3 chainsaw

nicholas on 2003-09-19T13:58:58

Curious. I've not got that many of these (yet)(about 60), but I did recieve a lot of sobig crap (150100 to /dev/null to date, and another 100M or so before I started filtering)