back to index

Worm Bounce Identifier

Sat Jan 31 2004, 6:10 AM

Purpose

A simple program for classifying email bounces, executable code, and more or less anything. Written after MyDoom became the Microsoft® Worm-of-the-week™ and the users were flooded by bounced messages faked by the worm, the worm itself, and other shrapnels.

The code was written in a few hours, including analysis of the problem, in order to spoil my users who were complaining mightily about the worm outbreak and its collateral damage. It's quick and dirty and born from an immediate need. It's designed to pose a minimal load for the machine.

It's designed to work together with Garlic2 POP3 filter and an executable-file refusing patch on qmail-smtpd, as one more layer of protection.

Partially inspired by VirusBounceRules ruleset for SpamAssassin.

How it works

An email is fed to the program's stdin. A series of comparisons is done on the first 32k of the file (if a signature is present, it will be there), in order to save system resources.

In passthru mode the mail is piped through; if there is a match, a header is added, otherwise the mail is unchanged.

In classify mode the match value is output to stdout.

Usage

Takes a mail message on stdin, adds header if match found (when piped) or outputs the match to stdout.

Parameters:
-ppassthru mode - pipes message to stdout, adds header if match
-cclassify mode (default) - outputs classification to stdout
-rset result code to 1 if match found
-llog match to syslog
-H <header> sets header to add if match

Specifically designed for use with procmail.
Sample entry follows:

Files

wormbounceid.c - the source of the most current message classifier
signatures-auto.c - some more signatures added semiautomatically (included from wormbounceid.c)
procmailrc - an example-of-use snippet of procmailrc

If you have any comments or questions about the topic, please let me know here:
Your name:
Your email:
Spambait
Leave this empty!
Only spambots enter stuff here.
Feedback: