From: Ludovic Brenta <ludovic.brenta@insalien.org>
Subject: Re: Current "Swen" worm attack
Date: 23 Sep 2003 17:41:51 +0200
Date: 2003-09-23T17:41:51+02:00 [thread overview]
Message-ID: <m3k77zcy0w.fsf@insalien.org> (raw)
In-Reply-To: JQVbb.552471$Ho3.96759@sccrnsc03
"Jeff C," <nolongersafeto@userealemailsniff.com> writes:
> "David Marceau" <davidmarceau@sympatico.ca> wrote in message
> news:3F6FC7D4.3949160D@sympatico.ca...
> > I got around 200 spam in the last two days and my mailbox at the isp hit
> > the maximum capacity and started rejecting good emails.
> > This is the biggest spam-tsunami I have experienced.
> >
> > If I had a $$$static ip/hostname/mail server at home, I would preferably
> > do the server-side filtering myself through the open source spam
> > filtering tools that already exist. As it stands, I am presently forced
> > to configure a spam-filter plug-in into my mail client.
>
> Another solution (the one I just implemented) is to set up a linux
> box with a combination of fetchmail (to go download messages from
> your ISP popmailbox at a fixed periodic rate) and IMAP (linux side
> POP3 mail server).
>
> Then just continue using whatever you are using to check your mail
> but have it point to the Linux pop box.. This way, you don't need a
> static connection but you keep your ISP POP mailbox from filling
> up..The other reason this approach is nice is that it does not
> require you to open any additional (or any at all) incoming ports on
> your firewall since you are still using "pull" to get your mail.
>
> I completed the above steps last night.
>
> Tonight I hope to add some filtering on the Linux side so I can also
> stop seeing these messages...but at least I can get regular email
> again.
I have an additional requirement. Not only I want to prevent my
mailbox from filling up, but I also do not want to download all of
these emails, because with the sheer volume I'm getting (about 200
spams a day), I'd blow up my download quota. This means I do not want
to do the filtering on the client (which I was doing in gnus), but I
want to do it on the server before my client downloads the emails.
So, today, I wrote an Ada program that does all that. It's about 550
SLOC in Ada, and uses libspopc to do the POP3 client stuff (and yes, I
wrote a thick binding to it). I also used a couple of generic
containers from Charles.
My solution uses POP3 to download just the headers of all mails, and
delete those that match a set of regular expressions. These regexes
come directly from my ~/.emacs file, so that the server-side filtering
uses the same rules as the client-side one.
I ran it today and it deleted about 200 spams that had accumulated
over 14 hours. Now I will never even have to download their contents
:)
I'm planning to run this jewel of a little program in a cron job every
2 minutes or so. BTW, here are a few regexps that get most of these
spams for me:
(setq nnmail-split-methods
;; Lots of filtering and shuffling about...
("misc.spam" "antiv@univ-lyon1.fr")
("misc.spam" "^From: $")
("misc.spam" "From: Service .*")
("misc.spam" "From: \"?Admin\"?|admin")
("misc.spam" "From: administrator")
("misc.spam" "From:.*Delivery.*")
("misc.spam" "From:.*Internet Security.*")
("misc.spam" "From: MS ")
("misc.spam" "From: ms net message system")
("misc.spam" "From: (M|m)icrosoft.*")
("misc.spam" "From: Email System")
("misc.spam" "From: inet storage service")
("misc.spam" "From: (Inet|Internet) (Email |Mail )?Storage System")
("misc.spam" "From: \"Network Mail System\"")
("misc.spam" "From:.*Technical Services.*")
("misc.spam" "From: (P|p)ostmaster")
("misc.spam" "Subject:.*VIRUS.*")
("misc.spam" "Subject:.*security.*patch.*")
("misc.spam" "Subject:.*upgrade.*"))
And, of course, Mail/misc/spam is a symlink to /dev/null.
Anyone feel this is worth a project on Savannah or SourceForge?
--
Ludovic Brenta.
next prev parent reply other threads:[~2003-09-23 15:41 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-22 3:05 Current "Swen" worm attack Alexander Kopilovitch
2003-09-22 10:27 ` Stephane Richard
2003-09-22 11:45 ` chris
2003-09-23 3:49 ` Wes Groleau
2003-09-22 11:49 ` Preben Randhol
2003-09-22 21:42 ` Randy Brukardt
2003-09-23 7:10 ` Preben Randhol
2003-09-23 7:35 ` Vinzent Hoefler
2003-09-23 0:39 ` Alexander Kopilovitch
2003-09-23 4:11 ` David Marceau
2003-09-23 11:08 ` Jeff C,
2003-09-23 15:41 ` Ludovic Brenta [this message]
2003-09-24 1:14 ` Jeff C,
2003-09-24 8:20 ` Martin Krischik
2003-09-25 10:10 ` Ludovic Brenta
2003-09-25 11:01 ` Martin Krischik
2003-09-25 11:32 ` Preben Randhol
2003-09-25 12:07 ` Ludovic Brenta
2003-09-25 13:47 ` Stephen Leake
2003-09-23 18:47 ` Randy Brukardt
2003-09-23 20:56 ` Berend de Boer
[not found] ` <3F6FA78D.3070708@myob.com>
2003-10-03 13:41 ` sk
2003-10-03 14:17 ` Preben Randhol
2003-09-23 3:44 ` Current "Swen" worm attack - a tip Wes Groleau
2003-09-23 7:33 ` Preben Randhol
2003-09-23 17:44 ` Jeffrey Carter
2003-09-23 18:00 ` Brian Catlin
2003-09-23 19:14 ` tmoran
2003-09-23 20:55 ` Berend de Boer
2003-09-24 10:08 ` Dmitry A. Kazakov
2003-09-24 21:50 ` Wes Groleau
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox