Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

ethan (3163)

  reversethis-{ed. ... rap.nov.olissat}

Being a 25-year old chap living in the western-most town of Germany. Stuying communication and information science and being a huge fan of XS-related things.

Journal of ethan (3163)

Friday September 19, 2003
04:18 AM

Scary counter

[ #14782 ]

Right now I am pretty badly hit by the new Swen virus (formerly known as W32.Gibe). Our university mail-server doesn't yet cut out the offending attachments so I received around 200 mails this night, each around 140K in size. :-(

I have now stopped fetchmail and set up a little script employing Mail::POP3Client that rigidly deletes anything looking like spam and Swen on the server. I've stopped worrying about false positives for now.

Swen-infected machines increment a webcounter. Hit "reload" occasionally and see the number increase.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Could you post your script ?
    I didn't receive a lot of Sobig crap, but this one is hitting me pretty badly.
    • Yup, can do. The raw version follows.
      Right now I switched to manual mode. If you modify the outcommented if-conditions a little to suit your specific flavour of mails, you could run it as yes | killmail USER PASS.

      If these mails continue to exist tomorrow, I'll refine the script and let it run as cronjob. I am sick of the current situation. I hope the mail-server admins quickly come up with a server-side solution.

      #! /usr/bin/perl -w

      use strict;
      use Mail::POP3Client;

      my ($user, $pass) = @ARGV;


      my $

      • Re:POP3 chainsaw (Score:2, Informative)

        May I point (again) to the script I posted on Perlmonks earlier today? Based on a different POP3 module (Net::POP3) and rather different in check rule: it checks for a MIME section that has the file name of a Windows executable. my script []
        • That would have saved me some trouble if I had known it earlier. Right now the worst seems to be survived. I still receive around a hundred of these mails per hour, but my university's mailserver rips off the attachment so the mails' size has shrunken to a tolerable size. That means that I can't check the MIME section any longer either.

          I eventually solved it with a few procmail rules. The To: line of these mails always consists of words chosen randomly from a set of nine words. So I just have to check for
    • Curious. I've not got that many of these (yet)(about 60), but I did recieve a lot of sobig crap (150100 to /dev/null to date, and another 100M or so before I started filtering)