Simon Burton fed this fish to the penguins on Friday 19 September 2003
11:52 pm:
[color=blue]
>
>
>
> This was so easy :)[/color]
Probably helps to have an ISP that inserts the X-Spam-Level header <G>
Was missing too many variants on my runs. So I took it as inspiration
for this (not fully tested) variation which counts up words in both
subject and from headers that match candidate lists.
"""
SwenKill.py Dennis Lee Bieber September 20 2003
Based upon a program presented on comp.lang.python
Checks POP3 headers for hallmarks of a Swen trojan package and
deletes
any qualifying message before it is downloaded (note: depending on
check times, the MUA may still download messages before this routine
has checked them).
Usage:
python swenkill.py pop3.server.address user.name password
If imported, one can create multiple instances of the checker, and
imbed them within their own timing check loop.
"""
import sys
import time
from poplib import *
CHECKINTERVAL = 90 #seconds
SubjectWords = """advice
bug
critical
current
error
failure
internet
last
latest
letter
microsoft
net
network
new
newest
notice
pack
patch
report
returned
security
unkown
undeliverable
undelivered
update
upgrade
user""".lower() #set all to lower case
SubjectWords = SubjectWords.split("\n")
FromWords = """Administrator
Assistance
Bulletin
Center
Corporation
Delivery
Department
Email
Inet
Internet
Mail
Message
Microsoft
MS
Net
Network
Program
Public
Section
Security
Service
Storage
Technical""".lower()
FromWords = FromWords.split("\n")
class SwenKiller:
def __init__(self, pop3, username, password):
self.pop3 = pop3
self.username = username
self.password = password
def kill(self):
mbox = POP3(self.pop3)
mbox.user(self.username)
mbox.pass_(self.password)
stat = mbox.stat()
print self.pop3, self.username, "\tstat", stat
ilist = mbox.list()
for info in ilist[1]:
info = str.split(info) #? where did str come from?
built-in?
inum = int(info[0])
sz = int(info[1])
print "Msg #%.3d\t%d" % (inum, sz)
header = mbox.top(inum, 0)[1]
subject = ""
sender = "" #from is a keyword, can't be used
for line in header:
line = line.lower()
if line.startswith("from:"):
sender = line.replace('"', '')
if line.startswith("subject:"):
subject = line.replace('"', '')
size_check = 140000 < sz < 170000
SubjectCount = 0
FromCount = 0
for wd in subject.split():
if wd in SubjectWords:
SubjectCount += 1
for wd in sender.split():
if wd in FromWords:
FromCount += 1
if subject == "" or subject == "subject: ":
SubjectCount += 1
if sender == "" or sender == "from: ":
FromCount += 1
print "(Scored: size=%s subject=%s from=%s)" % (size_check,
SubjectCount, FromCount)
if (SubjectCount > 2) or (FromCount > 2) \
or (size_check and (SubjectCount or FromCount)):
print "DELETED:"
mbox.dele(inum)
print "\t%s\n\t%s\n" % (subject, sender)
print "Check Done"
print " "
mbox.quit()
if __name__ == "__main__":
if len(sys.argv) < 4:
print __doc__
else:
killer = SwenKiller(sys.argv[1], sys.argv[2], sys.argv[3])
try:
while 1:
print " "
try:
killer.kill()
finally:
pass #ignore errors inside the kill routine
time.sleep(CHECKINTERVAL)
finally:
pass #allow <ctrl-c> to kill the sleep and exit
I need to clean up the try: blocks, these were just quicky
place-holders.
--[color=blue]
> ================================================== ============ <
>
wlfraed@ix.netcom.com | Wulfraed Dennis Lee Bieber KD6MOG <
>
wulfraed@dm.net | Bestiaria Support Staff <
> ================================================== ============ <
> Bestiaria Home Page:
http://www.beastie.dm.net/ <
> Home Page:
http://www.dm.net/~wulfraed/ <[/color]
