SwenDeleter
SwenDeleter tries to identify email messages infected with the Swen worm in POP3 mailboxes and delete them on the server. It applies some heuristics to the headers and size of the messages, in order to avoid downloading the actual email, thus making retrievals less taxing. It has both interactive and nonstop modes.
| Tags | Communications Email Filters |
|---|---|
| Licenses | Perl |
| Operating Systems | OS Independent |
| Implementation | Perl |
Recent releases
- 19 Jan 2004 19:38
Changes: Handling of the threshold option was fixed.
- 25 Oct 2003 19:53
Changes: In this version, the size threshold and highlighting are now parameters. The server, login, and password can be entered interactively.
- 26 Sep 2003 17:32
Changes: Patterns were revised, taking a third study of the worm into account and some false negatives. Some bugs were fixed. The code was refactored.
- 25 Sep 2003 01:44
Changes: The heuristics are now stronger and performance was improved. POP3 settings are now passed as parameters. Precompiled binaries for Windows were provided, and specific instructions for OS/2 were included. The code was also cleaned up.
- 23 Sep 2003 19:54
Changes: Parameters are now read from the command line. Instructions for Windows users have been added. A distribution with a self-contained precompiled executable for Windows is provided.
- All comments
Recent commentsRe: No highlighting on Mac OS X
It turns out that eq 'MSWin32' is the right thing to do and
that's documented in perlvar. Fixed in 1.3. Thank you Ron.
Re: False negatives due to qr//i peculiarity
Excellent, fixed in 1.3. Thank you.
False negatives due to qr//i peculiarity
SwenDeleter sometimes fails to properly match a copy
of the virus message because it does not use the /i
(case-insensitivity) switch consistently at every step
when building up pre-compiled regular expressions.
In particular, the declaration of my $subject2_regexp
needs to end with /ix and not just /x .
Probably the same fix needs to be made to all the
"from" regexps, but this should be done by someone
more familiar with the virus definition (not me!)
No highlighting on Mac OS X
The SwenDeleter.pl 1.2 script as written will not
highlight the matches on Mac OS X, because of this
line:
unless ($^O =~ /win/i) {
Unfortunately, $^O == "darwin" on Mac OS X. Since I
don't know what $^O actually looks like on Windows, I
don't know how to fix this correctly.
In my private copy, I just changed the regexp to
/^win/i , but I doubt that this is correct.