Professional Web Applications Themes

POP3Filter for SoBig.F Virus: - Ruby

I've made more updates. Rather than just putting them here, I've created a page at RubyGarden: [url]http://www.rubygarden.org/ruby?SoBigPopper[/url] -austin -- austin ziegler * [email]austinhalostatue.ca[/email] * Toronto, ON, Canada software designer * pragmatic programmer * 2003.09.19 * 21.14.03...

  1. #1

    Default Re: POP3Filter for SoBig.F Virus:

    I've made more updates. Rather than just putting them here, I've created a
    page at RubyGarden:

    [url]http://www.rubygarden.org/ruby?SoBigPopper[/url]

    -austin
    --
    austin ziegler * [email]austinhalostatue.ca[/email] * Toronto, ON, Canada
    software designer * pragmatic programmer * 2003.09.19
    * 21.14.03



    Austin Ziegler Guest

  2. #2

    Default Re: POP3Filter for SoBig.F Virus:

    On Sat, 20 Sep 2003 10:14:39 +0900, Austin Ziegler wrote:
    > [url]http://www.rubygarden.org/ruby?SoBigPopper[/url]
    Gavin made a nice improvement that I have incorporated on the main page; I
    have also fixed a couple of bugs with the detection code. Thanks, Gavin.

    -austin
    --
    austin ziegler * [email]austinhalostatue.ca[/email] * Toronto, ON, Canada
    software designer * pragmatic programmer * 2003.09.20
    * 02.44.54



    Austin Ziegler Guest

  3. #3

    Default Re: POP3Filter for SoBig.F Virus:


    "Austin Ziegler" <austinhalostatue.ca> wrote in message
    > On Sat, 20 Sep 2003 10:14:39 +0900, Austin Ziegler wrote:
    > > [url]http://www.rubygarden.org/ruby?SoBigPopper[/url]
    >
    > Gavin made a nice improvement that I have incorporated on the main page; I
    > have also fixed a couple of bugs with the detection code. Thanks, Gavin.
    Thank you very Austin and Gavin.

    I have been inundated with spam in the last few hours and this nice little
    utility has helped me a lot.

    I have a question though: the size of email defaults to 120_000. Is there
    some significance to this number or is it just an arbitrary number you
    picked. I have been getting some spam with attachments which are 106K or in
    that range. Of course, I have changed my version to catch them too but was
    curious to find out.

    Also, would it possible for you to add something like the "kill file"
    support so that I can keep adding new patterns to it instead of modifying
    the source code.

    Thanks a lot.
    -- shanko


    Shashank Date Guest

  4. #4

    Default Re: POP3Filter for SoBig.F Virus:

    On Saturday, September 20, 2003, 9:03:18 PM, Shashank wrote:

    > "Austin Ziegler" <austinhalostatue.ca> wrote in message
    >> On Sat, 20 Sep 2003 10:14:39 +0900, Austin Ziegler wrote:
    >> > [url]http://www.rubygarden.org/ruby?SoBigPopper[/url]
    >>
    >> Gavin made a nice improvement that I have incorporated on the main page; I
    >> have also fixed a couple of bugs with the detection code. Thanks, Gavin.
    > Thank you very Austin and Gavin.
    > I have been inundated with spam in the last few hours and this nice little
    > utility has helped me a lot.
    > I have a question though: the size of email defaults to 120_000. Is there
    > some significance to this number or is it just an arbitrary number you
    > picked. I have been getting some spam with attachments which are 106K or in
    > that range. Of course, I have changed my version to catch them too but was
    > curious to find out.
    All of my virus-spam messages have been around 140Kb. One exception
    was about 15Kb.
    > Also, would it possible for you to add something like the "kill file"
    > support so that I can keep adding new patterns to it instead of modifying
    > the source code.
    No need really, and I don't have the time. But you can go for it and
    change the Wiki code if you like. Or if your version is significantly
    different then offer it as a separate implementation.

    The easiest and quickest thing to do would be to add filters to the
    source code on the Wiki. If you need different filters, then someone
    else probably will too.

    I think a lot of people have learned about Net::POP3 today, especially
    me.

    Gavin


    Gavin Sinclair Guest

  5. #5

    Default Re: POP3Filter for SoBig.F Virus:

    On Sat, 20 Sep 2003 22:15:40 +0900, Gavin Sinclair wrote:
    > On Saturday, September 20, 2003, 9:03:18 PM, Shashank wrote:
    >> Thank you very Austin and Gavin.
    >>
    >> I have been inundated with spam in the last few hours and this nice
    >> little utility has helped me a lot.
    >>
    >> I have a question though: the size of email defaults to 120_000. Is
    >> there some significance to this number or is it just an arbitrary
    >> number you picked. I have been getting some spam with attachments which
    >> are 106K or in that range. Of course, I have changed my version to
    >> catch them too but was curious to find out.
    > All of my virus-spam messages have been around 140Kb. One exception was
    > about 15Kb.
    The Perl version I translated from -- and I just modified the WikiPage to
    include the historic influences -- had 150_000 as the size default. I
    figured it was a bit high, so I dropped it to 120_000. In one of my later
    changes to the tool, though, I moved it from a constant to the fourth
    parameter (defaulted) in the constructor.
    >> Also, would it possible for you to add something like the "kill file"
    >> support so that I can keep adding new patterns to it instead of
    >> modifying the source code.
    > No need really, and I don't have the time. But you can go for it and
    > change the Wiki code if you like. Or if your version is significantly
    > different then offer it as a separate implementation.
    Actually, it's even easier than that. I just modified the last line so that
    it looks like:

    if __FILE__ == $0
    POP3Filter.new("server", "user", "pass").process
    end

    Now, pop3filter is easy to include into a separate program. What you would
    do to use this is:

    require 'pop3filter.rb'

    POP3Filter.SUBJECT_RE << %r{enlarge}i
    POP3Filter.new("server", "user", "pass", 80_000).process

    This will now look for subjects that have the word "enlarge" in them, and it
    will look for messages of 80,000 bytes.

    The code could be abstracted a bit further -- so that we can (via
    meta-programming) tell it what headers we want and have multiple categories,
    but this is simply a quick hack to get rid of the current infestation.
    Another nice change would be to actually have a Tk (or other graphical)
    interface so that you could select which messages you want deleted without
    having to either (a) delete them all or (b) respond to each message
    interactively.

    -austin
    --
    austin ziegler * [email]austinhalostatue.ca[/email] * Toronto, ON, Canada
    software designer * pragmatic programmer * 2003.09.20
    * 10.42.42



    Austin Ziegler Guest

  6. #6

    Default Re: POP3Filter for SoBig.F Virus:

    Austin Ziegler wrote:
    >Here's an updated version of the Ruby pop3filter that was written. This
    >checks for the To: address, too, since that could be forged as well.
    >
    >
    Thanks Austin. This has been a learning experience for me.

    Michael


    Michael Garriss Guest

  7. #7

    Default Re: POP3Filter for SoBig.F Virus:

    On Sat, 20 Sep 2003 23:52:39 +0900, Austin Ziegler <austinhalostatue.ca>
    wrote:
    > The Perl version I translated from -- and I just modified the WikiPage to
    > include the historic influences -- had 150_000 as the size default. I
    > figured it was a bit high, so I dropped it to 120_000. In one of my later
    > changes to the tool, though, I moved it from a constant to the fourth
    > parameter (defaulted) in the constructor.
    Austin,

    Can you post a link to the original code? It would be neat to compare perl
    and ruby code for the same task.
    THanks,
    -Jose

    --
    Jose Quesada, PhD.

    [email]quesadajpsych.colorado.edu[/email] Research associate
    [url]http://lsa.colorado.edu/~quesadaj[/url] Institute of Cognitive Science
    University of Colorado (Boulder)
    Muenzinger psychology building Phone:303 492 1522
    office D447A Fax: 303 492 7177
    Campus Box 344
    University of Colorado at Boulder
    Boulder, CO 80309-0344


    Jose Quesada Guest

  8. #8

    Default Re: POP3Filter for SoBig.F Virus:

    On Saturday 20 September 2003 18:56, Jose Quesada wrote:
    > Can you post a link to the original code? It would be neat to compare
    > perl and ruby code for the same task.
    Well, the original code was the first dirty iteration I wrote in a hurry
    because my mailbox was being flooded by minutes. I shared it because of
    the thread in case it could be helpful to anyone else.

    I have cleaned it up a bit since then, factored it, and added
    interactive and nonstop modes:

    [url]http://www.hashref.com/prj/pop3filter/pop3filter.pl[/url]

    I think that's a more appropiate version for a fair comparison.

    -- fxn


    Xavier Noria Guest

  9. #9

    Default Re: POP3Filter for SoBig.F Virus:

    On Sun, 21 Sep 2003 02:07:44 +0900, Xavier Noria wrote:
    > On Saturday 20 September 2003 18:56, Jose Quesada wrote:
    >> Can you post a link to the original code? It would be neat to compare
    >> perl and ruby code for the same task.
    > Well, the original code was the first dirty iteration I wrote in a hurry
    > because my mailbox was being flooded by minutes. I shared it because of
    > the thread in case it could be helpful to anyone else.
    >
    > I have cleaned it up a bit since then, factored it, and added interactive
    > and nonstop modes:
    >
    > [url]http://www.hashref.com/prj/pop3filter/pop3filter.pl[/url]
    >
    > I think that's a more appropiate version for a fair comparison.
    Agreed. I hope no one thinks that I was saying your version wasn't good
    enough. I just didn't want to have to verify if I had Net::POP3 in Perl (I'm
    pretty sure I do, since it's the ActiveState version) and so I made the Ruby
    version based on what you wrote. It was good for what it did, but I found
    that it missed a number of the messages (naturally, because it had fewer
    regexp), and the main reason for making the change is I didn't want to
    answer yes on EACH message.

    At any rate, I think they're both highly usable. At some point, I think that
    I'll set up a POP3 proxy form of this moving forward and integrate this,
    gurgitate, and a bayesian spam checker so that I can look at doing things a
    bit differently.

    -austin
    --
    austin ziegler * [email]austinhalostatue.ca[/email] * Toronto, ON, Canada
    software designer * pragmatic programmer * 2003.09.20
    * 14.59.18



    Austin Ziegler Guest

  10. #10

    Default Re: POP3Filter for SoBig.F Virus:

    On Sunday, September 21, 2003, 5:03:51 AM, Austin wrote, in part:
    > At any rate, I think they're both highly usable. At some point, I think that
    > I'll set up a POP3 proxy form of this moving forward and integrate this,
    > gurgitate, and a bayesian spam checker so that I can look at doing things a
    > bit differently.
    That would certainly interest me. If you set this up on RubyForge
    you'd definitely get my feedback and contributions!

    Gavin


    Gavin Sinclair Guest

  11. #11

    Default Re: POP3Filter for SoBig.F Virus:

    For those who were interested, I've tweaked my spam filters so almost
    nothing is getting through anymore. I've posted them on my web log
    site in case anybody wants them:

    [url]http://infofiend.com/log/index.php/item/223[/url]

    Ben


    Ben Giddings Guest

  12. #12

    Default Re: POP3Filter for SoBig.F Virus:

    Saluton!

    * Gavin Sinclair; 2003-09-20, 18:24 UTC:
    > All of my virus-spam messages have been around 140Kb. One exception
    > was about 15Kb.
    Concerning 15 KB messages: Notify maintainer of mail server that
    sends them about the misconfiguration. A mail server must not
    identify an infected message, remove the infected part and deliver
    the rest.

    Even though most people are not aware of it: Besides the given high
    probability that the message was sent unintentionally doing so can be
    a crime in some countries (Germany for example).

    As long as it is done to correctly deliver the message it is
    acceptable that a mail server manipulates e-mails but as soon as
    manipulation is done to change the information transmitted you are
    possibly comitting a crime because

    - you may be suppressing information that *should* be send (e.g.
    forwarding some program that happens to result in a false alert)

    - you are creating a derived work of some copyrighted work without
    permission of the copyright holder.

    etc. Of course this is only what you officially say. More annoying is
    that the removal of the attachment breaks any worm defense that makes
    use of the fact that you rarely receive messages of more than 100 KB
    that you actually want to recieve.

    Note: On 2003-09-24 the European Parliament is going to decide on a
    software patent directive. To protest against this my web pages
    will offline until (and including) 2003-09-24 (UTC). This
    includes but is not limited to the extmath, rcalc, and tldlib
    homepage.

    Gis,

    Josef 'Jupp' Schugt
    --
    Warning to Outlook, Outlook Express and Windows users: In the 9/11
    aftermath many countries decided on new anti-terror laws. If you put
    web sites or mailboxes under fire this may be seen as a terroristic
    act that potentially may buy you a one-way ticket to Guantanamo Bay.

    Josef 'Jupp' Schugt Guest

  13. #13

    Default Re: POP3Filter for SoBig.F Virus:


    "Austin Ziegler" <austinhalostatue.ca> wrote:
    > I've made more updates. Rather than just putting them here, I've created a
    > page at RubyGarden:
    >
    > [url]http://www.rubygarden.org/ruby?SoBigPopper[/url]
    >

    Thanks so much, Austin (and other contributors)
    for putting this together.


    daz

    (68MB backlog now cleared)



    daz Guest

  14. #14

    Default Re: POP3Filter for SoBig.F Virus:

    >
    > "Austin Ziegler" <austinhalostatue.ca> wrote:
    >
    >> I've made more updates. Rather than just putting them here, I've
    >> created a page at RubyGarden:
    >>
    >> [url]http://www.rubygarden.org/ruby?SoBigPopper[/url]
    >>
    >
    >
    > Thanks so much, Austin (and other contributors)
    > for putting this together.
    >
    >
    > daz
    >
    > (68MB backlog now cleared)

    A word of warning: don't set the size threshold too small. Yesterday, I
    ran the following script (at home) all day while I was at work:

    while [ true ]; do
    yes | ruby pop3filter.rb
    sleep 300
    done

    That guarded my inbox just nicely so I could check it at work.

    Today, having noticed that quite a few small (1-2K) annoying Microsoft
    emails were coming through, I lowered the size threshold to 1500 bytes.
    Until I rang home to get it stopped, no mail was getting through to me!
    For some reason, every email was matched, and thus killed, by the program!
    Until I get home to see what happened, I won't know what emails I missed
    out on.

    Cheers,
    Gavin



    Gavin Sinclair Guest

  15. #15

    Default Re: POP3Filter for SoBig.F Virus:

    On Tuesday 23 September 2003 06:32, daz wrote:
    > "Austin Ziegler" <austinhalostatue.ca> wrote:
    > > I've made more updates. Rather than just putting them here, I've
    > > created a page at RubyGarden:
    > >
    > > [url]http://www.rubygarden.org/ruby?SoBigPopper[/url]
    >
    > Thanks so much, Austin (and other contributors)
    > for putting this together.
    I just cleaned 27Mb of Swens this morning!!!

    Just to close my contribution to this thread, I wanted to comment that
    after a few little improvements the original filter was finally
    published:

    [url]http://freshmeat.net/projects/swendeleter/[/url]

    -- fxn


    Xavier Noria Guest

Similar Threads

  1. Replies: 7
    Last Post: September 25th, 05:22 PM
  2. Replies: 3
    Last Post: September 23rd, 09:30 PM
  3. Replies: 0
    Last Post: September 22nd, 07:21 PM
  4. Replies: 0
    Last Post: September 9th, 07:11 PM
  5. OT - SoBig Virus
    By Chuck Snyder in forum Adobe Photoshop Elements
    Replies: 5
    Last Post: August 21st, 04:06 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139