This was so easy :)
Simon Burton.
#!/usr/bin/env python
import sys
from time import sleep
from poplib import *
canit = """Newest Internet Critical Pack
New Internet Upgrade
Message: User unknown
Last Net Critical Patch
last pack
error notice
Failure Advice
failure message
Bug Message
Newest Internet Critical Pack
Advice
last net security pack
Latest Microsoft Security Upgrade
Latest Upgrade
Last Network Critical Update
Current Net Security Pack
new net pack
Last Network Security Pack
Security Pack
Security Update
Critical Upgrade
Undelivered Message
Security Upgrade
Net Update
security pack
Bug Letter
Network Pack
New Net Update
""".split("\n")[:-1]
#print canit
#sys.exit(0)
def doit():
mbox = POP3( "pop.webone.com.au" )
mbox.user( "XXX" )
mbox.pass_( "XXX" )
stat = mbox.stat()
print "stat",stat
ilist = mbox.list()
olist = []
for info in ilist[1]:
info = str.split( info )
i, sz = int(info[0]), int(info[1])
spam = 0
print "msg #%.3d\t%d"%( i, sz )
header = mbox.top( i, 0 )[1]
subject = ""
sender = ""
for line in header:
#print "\t",line
if line.startswith( "From:" ):
sender = line
if line.startswith( "Subject:" ):
subject = line
if line.startswith( "SUBJECT:" ):
subject = line
if line.startswith( "X-Spam-Level" ):
spam = line.count( "*" )
if subject:
print " "+subject
if sender:
print " ", sender
print " spam", spam
sz_chk = 140000<sz<170000 # check for this size range
if sz_chk:
print " sz_chk"
spam += 1
for can in canit:
if subject.count(can):
print " can it: '%s'"%can
spam += 1
print " spam", spam
if spam > 2: # life is harsh
print " dele"
#mbox.dele( i ) # uncomment when you are ready
print "quit"
mbox.quit()
while 1:
print
doit()
sleep(90)
7  2978 
At best that will identify less than a third of the messages produced by
this worm. A permutating and mutating bogus 'Undeliverable e-mail' message
carrying the infection package is more common than the HTML message. Either
type is over 100 KBytes, and will quickly clog a mailbox.
Expect the HTML message body, FROM and SUBJECT to mutate also.
Phil Weldon, pw*****@mindspring.com
"Simon Burton" <si****@webone.com.au> wrote in message
news:pa****************************@webone.com.au. ..
This was so easy :)
Simon Burton.
#!/usr/bin/env python
import sys
from time import sleep
from poplib import *
canit = """Newest Internet Critical Pack
New Internet Upgrade
Message: User unknown
Last Net Critical Patch
last pack
error notice
Failure Advice
failure message
Bug Message
Newest Internet Critical Pack
Advice
last net security pack
Latest Microsoft Security Upgrade
Latest Upgrade
Last Network Critical Update
Current Net Security Pack
new net pack
Last Network Security Pack
Security Pack
Security Update
Critical Upgrade
Undelivered Message
Security Upgrade
Net Update
security pack
Bug Letter
Network Pack
New Net Update
""".split("\n")[:-1]
#print canit
#sys.exit(0)
def doit():
mbox = POP3( "pop.webone.com.au" )
mbox.user( "XXX" )
mbox.pass_( "XXX" )
stat = mbox.stat()
print "stat",stat
ilist = mbox.list()
olist = []
for info in ilist[1]:
info = str.split( info )
i, sz = int(info[0]), int(info[1])
spam = 0
print "msg #%.3d\t%d"%( i, sz )
header = mbox.top( i, 0 )[1]
subject = ""
sender = ""
for line in header:
#print "\t",line
if line.startswith( "From:" ):
sender = line
if line.startswith( "Subject:" ):
subject = line
if line.startswith( "SUBJECT:" ):
subject = line
if line.startswith( "X-Spam-Level" ):
spam = line.count( "*" )
if subject:
print " "+subject
if sender:
print " ", sender
print " spam", spam
sz_chk = 140000<sz<170000 # check for this size range
if sz_chk:
print " sz_chk"
spam += 1
for can in canit:
if subject.count(can):
print " can it: '%s'"%can
spam += 1
print " spam", spam
if spam > 2: # life is harsh
print " dele"
#mbox.dele( i ) # uncomment when you are ready
print "quit"
mbox.quit()
while 1:
print
doit()
sleep(90)
In article <S0******************@newsread2.news.atl.earthlink .net>, Phil
Weldon <pw*****@mindspring.com> writes At best that will identify less than a third of the messages produced by
this worm. A permutating and mutating bogus 'Undeliverable e-mail' message
carrying the infection package is more common than the HTML message. Either
type is over 100 KBytes, and will quickly clog a mailbox.
Expect the HTML message body, FROM and SUBJECT to mutate also.
Phil Weldon, pw*****@mindspring.com
"Simon Burton" <si****@webone.com.au> wrote in message
news:pa****************************@webone.com.au ...
This was so easy :)
Simon Burton.
..... you're right, I had to use patterns like
re.compile('^subject:\s*((Microsoft|MS|Upgrade|Net |Network|New|Newest|
Latest|Last|Critical|Patch|Pack|internet|security| current|update)\s*)+$'
,re.IGNORECASE)
and check the from value as well. Even so I'm not getting all of them
and as you say mutation is happening.
--
Robin Becker
Robin Becker wrote:
[snip] Phil Weldon, pw*****@mindspring.com
"Simon Burton" <si****@webone.com.au> wrote in message
news:pa****************************@webone.com.a u...
This was so easy :)
Simon Burton.
.... you're right, I had to use patterns like
Almost all the spam I'm receiving has an attachment whose file
type is one of .exe, .bat, .com, .scr, .pif, and a few others. Is
there a way for your Python script to check for that? How do you
do that in Python.
I'm guessing that you are not in the mood for receiving executable
files right now.
Here is a strange thing: I'm using procmail and junkfilter to
dispose of these. I looked at procmail's log, and noticed that
in many cases (but not all) I seem to be receiving exactly 2 spam
emails from each From address. I suppose this worm does not want
me to think I can do something so simple as send a request to one
infected machine asking it to clean itself up.
Dave
[snip]
--
Dave Kuhlman http://www.rexx.com/~dkuhlman dk******@rexx.com
Simon Burton fed this fish to the penguins on Friday 19 September 2003
11:52 pm:
This was so easy :)
Probably helps to have an ISP that inserts the X-Spam-Level header <G>
Was missing too many variants on my runs. So I took it as inspiration
for this (not fully tested) variation which counts up words in both
subject and from headers that match candidate lists.
"""
SwenKill.py Dennis Lee Bieber September 20 2003
Based upon a program presented on comp.lang.python
Checks POP3 headers for hallmarks of a Swen trojan package and
deletes
any qualifying message before it is downloaded (note: depending on
check times, the MUA may still download messages before this routine
has checked them).
Usage:
python swenkill.py pop3.server.address user.name password
If imported, one can create multiple instances of the checker, and
imbed them within their own timing check loop.
"""
import sys
import time
from poplib import *
CHECKINTERVAL = 90 #seconds
SubjectWords = """advice
bug
critical
current
error
failure
internet
last
latest
letter
microsoft
net
network
new
newest
notice
pack
patch
report
returned
security
unkown
undeliverable
undelivered
update
upgrade
user""".lower() #set all to lower case
SubjectWords = SubjectWords.split("\n")
FromWords = """Administrator
Assistance
Bulletin
Center
Corporation
Delivery
Department
Email
Inet
Internet
Mail
Message
Microsoft
MS
Net
Network
Program
Public
Section
Security
Service
Storage
Technical""".lower()
FromWords = FromWords.split("\n")
class SwenKiller:
def __init__(self, pop3, username, password):
self.pop3 = pop3
self.username = username
self.password = password
def kill(self):
mbox = POP3(self.pop3)
mbox.user(self.username)
mbox.pass_(self.password)
stat = mbox.stat()
print self.pop3, self.username, "\tstat", stat
ilist = mbox.list()
for info in ilist[1]:
info = str.split(info) #? where did str come from?
built-in?
inum = int(info[0])
sz = int(info[1])
print "Msg #%.3d\t%d" % (inum, sz)
header = mbox.top(inum, 0)[1]
subject = ""
sender = "" #from is a keyword, can't be used
for line in header:
line = line.lower()
if line.startswith("from:"):
sender = line.replace('"', '')
if line.startswith("subject:"):
subject = line.replace('"', '')
size_check = 140000 < sz < 170000
SubjectCount = 0
FromCount = 0
for wd in subject.split():
if wd in SubjectWords:
SubjectCount += 1
for wd in sender.split():
if wd in FromWords:
FromCount += 1
if subject == "" or subject == "subject: ":
SubjectCount += 1
if sender == "" or sender == "from: ":
FromCount += 1
print "(Scored: size=%s subject=%s from=%s)" % (size_check,
SubjectCount, FromCount)
if (SubjectCount > 2) or (FromCount > 2) \
or (size_check and (SubjectCount or FromCount)):
print "DELETED:"
mbox.dele(inum)
print "\t%s\n\t%s\n" % (subject, sender)
print "Check Done"
print " "
mbox.quit()
if __name__ == "__main__":
if len(sys.argv) < 4:
print __doc__
else:
killer = SwenKiller(sys.argv[1], sys.argv[2], sys.argv[3])
try:
while 1:
print " "
try:
killer.kill()
finally:
pass #ignore errors inside the kill routine
time.sleep(CHECKINTERVAL)
finally:
pass #allow <ctrl-c> to kill the sleep and exit
I need to clean up the try: blocks, these were just quicky
place-holders.
-- ================================================== ============ <
wl*****@ix.netcom.com | Wulfraed Dennis Lee Bieber KD6MOG <
wu******@dm.net | Bestiaria Support Staff <
================================================== ============ <
Bestiaria Home Page: http://www.beastie.dm.net/ <
Home Page: http://www.dm.net/~wulfraed/ <
Dave Kuhlman fed this fish to the penguins on Saturday 20 September
2003 02:39 pm:
Almost all the spam I'm receiving has an attachment whose file
type is one of .exe, .bat, .com, .scr, .pif, and a few others. Is
there a way for your Python script to check for that? How do you
do that in Python.
Checking for the attachment requires scanning the body of the message
-- in effect, downloading it anyway. The script, as is, is only
accessing the headers and performing the delete on the server end.
-- ================================================== ============ <
wl*****@ix.netcom.com | Wulfraed Dennis Lee Bieber KD6MOG <
wu******@dm.net | Bestiaria Support Staff <
================================================== ============ <
Bestiaria Home Page: http://www.beastie.dm.net/ <
Home Page: http://www.dm.net/~wulfraed/ <
On Sat, 20 Sep 2003 14:39:49 -0700,
Dave Kuhlman <dk******@rexx.com> wrote: Almost all the spam I'm receiving has an attachment whose file
type is one of .exe, .bat, .com, .scr, .pif, and a few others. Is
there a way for your Python script to check for that? How do you
do that in Python.
If you're using Exim as a mail server, you can compile Exim with Python as
an extension language (elspy.sf.net). Rejecting all messages with
executable attachments is then a matter of creating an exim_local_scan.py
file containing:
from elspy import execontent_simple
def local_scan (fd, headers, info):
# Trash executables
execontent_simple.local_scan(fd, headers, info)
# For now, do no other scanning
return
--amk
Quoth "Phil Weldon" <pw*****@mindspring.com>:
| At best that will identify less than a third of the messages produced by
| this worm. A permutating and mutating bogus 'Undeliverable e-mail' message
| carrying the infection package is more common than the HTML message. Either
| type is over 100 KBytes, and will quickly clog a mailbox.
|
| Expect the HTML message body, FROM and SUBJECT to mutate also.
I've been getting one every two minutes or so for the last couple of
days, so I had to do something this morning. Luckily I have shell
access and fairly conventional UNIX mail delivery, so I put in a
filter on delivery. My criterion is nowhere near as complicated as
the rest of you folks, but after about 6 hours it caught 157 and
missed no more than a dozen. I just look for 'boundary="[a-z]' in
the header. Of course that could easily turn out to catch a legitimate
email ... but of course, with an attachment, and I don't want your
stupid Word document anyway.
The filter is 38 lines of awk (with comments), and a C program to
lock the folder and invoke the awk program.
Donn Cave, do**@drizzle.com This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Rybread |
last post by:
Real quick, I have account X and I want a python script that goes in
and looks for emails sent from Y and then to save them. i'm trying to
go off the swen killer I have listed below (which i took...
|
by: brettk |
last post by:
Hello All,
Here's what I'm trying to do:
I need to connect to a pop3 server, download all messages, and copy all
of the attachments into a specific directory. The actual email message
is...
|
by: Steve Greenland |
last post by:
For the poplib.POP3 object, docs say:
list()
Request message list, result is in the form (response, ). If which is set, it is the message to list.
But (I've folded the long line):
Python...
|
by: Frank Churchill |
last post by:
Has anyone used poplib and popfile together?
I've tried everything I can think of to specify SRVR in poplib:
"127.0.0.1:8081"
"127.0.0.1,port=8081"
"localhost:8081"
"localhost,port=8081"
...
|
by: LJ |
last post by:
Hello,
I'm trying to monitor my gmail account to know when I have obtained a
new email. It seems that once I have logged in, I should be able to
call the stat() function repeatedly to see how...
|
by: SuperHik |
last post by:
Hi!
I want to connect to gmail but...
It requires SSL so I worte:
Traceback (most recent call last):
File "<interactive input>", line 1, in ?
File "C:\Python24\lib\poplib.py", line 359, in...
|
by: EuGeNe Van den Bulke |
last post by:
Hi there,
I am trying to use the poplib library to get emails using the retr
method. The small program bellow works but the message aren't flagged as
read which puzzles me. I believe the pop...
|
by: Jean-Claude Neveu |
last post by:
Hello,
I am writing a Python program to check email using POP3. I've tried
the sample code from python.org, and it works great. In other words,
the code below successfully prints out my emails....
|
by: SteveC |
last post by:
Hello,
I am trying to use POP3_SSL class of the poplib module to read email
from my gmail account. I can connect just fine using the example here
http://www.python.org/doc/lib/pop3-example.html...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
