Re: Current "Swen" worm attack

[Ludovic Brenta <ludovic.brenta@insalien.org>]

"Jeff C," <nolongersafeto@userealemailsniff.com> writes:

> "David Marceau" <davidmarceau@sympatico.ca> wrote in message
> news:3F6FC7D4.3949160D@sympatico.ca...
> > I got around 200 spam in the last two days and my mailbox at the isp hit
> > the maximum capacity and started rejecting good emails.
> > This is the biggest spam-tsunami I have experienced.
> >
> > If I had a $$$static ip/hostname/mail server at home, I would preferably
> > do the server-side filtering myself through the open source spam
> > filtering tools that already exist.  As it stands, I am presently forced
> > to configure a spam-filter plug-in into my mail client.
> 
> Another solution (the one I just implemented) is to set up a linux
> box with a combination of fetchmail (to go download messages from
> your ISP popmailbox at a fixed periodic rate) and IMAP (linux side
> POP3 mail server).
> 
> Then just continue using whatever you are using to check your mail
> but have it point to the Linux pop box.. This way, you don't need a
> static connection but you keep your ISP POP mailbox from filling
> up..The other reason this approach is nice is that it does not
> require you to open any additional (or any at all) incoming ports on
> your firewall since you are still using "pull" to get your mail.
> 
> I completed the above steps last night.
> 
> Tonight I hope to add some filtering on the Linux side so I can also
> stop seeing these messages...but at least I can get regular email
> again.

I have an additional requirement.  Not only I want to prevent my
mailbox from filling up, but I also do not want to download all of
these emails, because with the sheer volume I'm getting (about 200
spams a day), I'd blow up my download quota.  This means I do not want
to do the filtering on the client (which I was doing in gnus), but I
want to do it on the server before my client downloads the emails.

So, today, I wrote an Ada program that does all that.  It's about 550
SLOC in Ada, and uses libspopc to do the POP3 client stuff (and yes, I
wrote a thick binding to it).  I also used a couple of generic
containers from Charles.

My solution uses POP3 to download just the headers of all mails, and
delete those that match a set of regular expressions.  These regexes
come directly from my ~/.emacs file, so that the server-side filtering
uses the same rules as the client-side one.

I ran it today and it deleted about 200 spams that had accumulated
over 14 hours.  Now I will never even have to download their contents
:)

I'm planning to run this jewel of a little program in a cron job every
2 minutes or so.  BTW, here are a few regexps that get most of these
spams for me:

(setq nnmail-split-methods 
        ;; Lots of filtering and shuffling about...
	("misc.spam" "antiv@univ-lyon1.fr")
	("misc.spam" "^From: $")
	("misc.spam" "From: Service .*")
	("misc.spam" "From: \"?Admin\"?|admin")
	("misc.spam" "From: administrator")
	("misc.spam" "From:.*Delivery.*")
	("misc.spam" "From:.*Internet Security.*")
	("misc.spam" "From: MS ")
	("misc.spam" "From: ms net message system")
	("misc.spam" "From: (M|m)icrosoft.*")
	("misc.spam" "From: Email System")
	("misc.spam" "From: inet storage service")
	("misc.spam" "From: (Inet|Internet) (Email |Mail )?Storage System")
	("misc.spam" "From: \"Network Mail System\"")
	("misc.spam" "From:.*Technical Services.*")
	("misc.spam" "From: (P|p)ostmaster")
	("misc.spam" "Subject:.*VIRUS.*")
	("misc.spam" "Subject:.*security.*patch.*")
	("misc.spam" "Subject:.*upgrade.*"))

And, of course, Mail/misc/spam is a symlink to /dev/null.

Anyone feel this is worth a project on Savannah or SourceForge?

-- 
Ludovic Brenta.