python script as an emergency mailbox cleaner

[Alex Martelli]

All my mailboxes have been filling up with files of about 130k to 150k, no
doubt copies of some immensely popular virus. So, I've no doubt lost lots
of real mail because of "mailbox full" conditions (the proliferating fake
bounce messages more or less ensure nobody knows their mail to me has
bounced, either).

As an emergency response I and Anna developed, over the last half hour, a
small Python script to be run from cron every few minutes and automatically
scrub any POP3 mailbox from files in the target size range. I'm saving them
to a local file for potential later perusal, but that's obviously easy to
comment out if needed. Here's the tiny script in question...:

import poplib
import time

print 'Start at', time.asctime()

host = 'pop.mail.yahoo.com'
port = 110
user = 'aleaxit'
pasw = 'secret'

logfilename = 'bigjunk'
minsize = 130000
maxsize = 180000
fromtag = 'From (e-mail address removed) %s\n'

ps = poplib.POP3(host, port)
ps.user(user)
ps.pass_(pasw)

messages = ps.list()
print '%d messages, %d bytes' % (len(messages[1]), messages[-1])

logfile = open(logfilename, 'a')

for sms in messages[1]:
sid, ssize = sms.split()
if minsize <= int(ssize) < maxsize:
message = ps.retr(sid)
print 'retrieving and deleting msg#%s, %d bytes, %d lines' % (
sid, message[-1], len(message[1]))
logfile.write(fromtag % time.asctime())
for line in message[1]:
logfile.write(line)
logfile.write("\n")
logfile.write('\n')
ps.dele(sid)

ps.quit()

print 'Done at', time.asctime()
print


Hope it can come in useful to somebody...!!!

Alex & Anna

 

[Phil Weldon]

It's a worm. Worm.Automat.AGH. This is going to be a bad one. The worm
installs, among other things, an SMPT engine, searches an infected system
for email address, and sends two types of e-mail: the first is HTML and is
a fake "security patch" supposedly from Microsoft. It looks very official,
but the attachment, 104 KBytes long, is infectious. Norton Antivirus
definitions only began to identify it with the 18SEP03 manual definition
update. The worm also posts to usenet newsgroups. The other type of e-mail
is a fake notification of undeliverable e-mail. This one is a real bear.
There seem to be hundreds variations in the body content and thousands of
variations in the header. The infectious package is also about 104 KBytes.
I'm getting nearly 100 of the two types per hour. Norton Antivirus does not
detect the worm in usnet posts read by Outlook Express Newsreader or Outlook
Newsreader. Only when you attempt to open the attachment or save the
attachment to disk will Norton identify it. Norton will NOT detect the
virus in the newsgroup posts folder NOR will it detect the newsgroup folder
in a full system scan. It will not remove the infected file from the
newsgroup folder, but it will prevent execution of the vermal payload.

Microsoft Outlook with the SP3 security update when used as your e-mail
reader protects against infection. Prior to 18SEP03 Norton did not.

The worm is also retrieving additional variations, so you can expect the
payload size to begin changing soon. The HTML message is easy to identify;
it is always the same (so far), and includes the phrase 'Run attached file'.
The bogus 'Undeliverable e-mail' variations have no commonality but the
payload attachment (that purports to be your bounced e-mail.) This will
likley change soon.

My guess is that the internet will not open on Monday.

Phil Weldon, (e-mail address removed)

All my mailboxes have been filling up with files of about 130k to 150k, no
doubt copies of some immensely popular virus. So, I've no doubt lost lots
of real mail because of "mailbox full" conditions (the proliferating fake
bounce messages more or less ensure nobody knows their mail to me has
bounced, either).

As an emergency response I and Anna developed, over the last half hour, a
small Python script to be run from cron every few minutes and automatically
scrub any POP3 mailbox from files in the target size range. I'm saving them
to a local file for potential later perusal, but that's obviously easy to
comment out if needed. Here's the tiny script in question...:

import poplib
import time

print 'Start at', time.asctime()

host = 'pop.mail.yahoo.com'
port = 110
user = 'aleaxit'
pasw = 'secret'

logfilename = 'bigjunk'
minsize = 130000
maxsize = 180000
fromtag = 'From (e-mail address removed) %s\n'

ps = poplib.POP3(host, port)
ps.user(user)
ps.pass_(pasw)

messages = ps.list()
print '%d messages, %d bytes' % (len(messages[1]), messages[-1])

logfile = open(logfilename, 'a')

for sms in messages[1]:
sid, ssize = sms.split()
if minsize <= int(ssize) < maxsize:
message = ps.retr(sid)
print 'retrieving and deleting msg#%s, %d bytes, %d lines' % (
sid, message[-1], len(message[1]))
logfile.write(fromtag % time.asctime())
for line in message[1]:
logfile.write(line)
logfile.write("\n")
logfile.write('\n')
ps.dele(sid)

ps.quit()

print 'Done at', time.asctime()
print


Hope it can come in useful to somebody...!!!

Alex & Anna

 

[Ng Pheng Siong]

The other type of e-mail
is a fake notification of undeliverable e-mail. This one is a real bear.
There seem to be hundreds variations in the body content and thousands of
variations in the header.

So far I've caught all of these using this procmail recipe:

:0 B
* ^<BR><BR><BR>(<BR>)*Undeliver
/dev/null

This scans the body for a string matching the regex in the second line. "*"
is a delimiter, not part of the regex.

The first several hundred I got had 3 <BR>'s, then it started coming with
4.

Similarly, the fake MS update first said "September 2003 Cumulative Patch",
then after several hundred I started to see "July 2003". I just saw one
"January 2000". The thing feels like it is mutating in response to filters!

My guess is that the internet will not open on Monday.

Civilisation is under attack.

 

[John Roth]

It's a worm. Worm.Automat.AGH. This is going to be a bad one. The worm
installs, among other things, an SMPT engine, searches an infected system
for email address, and sends two types of e-mail: the first is HTML and is
a fake "security patch" supposedly from Microsoft. It looks very official,
but the attachment, 104 KBytes long, is infectious. Norton Antivirus
definitions only began to identify it with the 18SEP03 manual definition
update. The worm also posts to usenet newsgroups. The other type of e-mail
is a fake notification of undeliverable e-mail. This one is a real bear.
There seem to be hundreds variations in the body content and thousands of
variations in the header. The infectious package is also about 104 KBytes.
I'm getting nearly 100 of the two types per hour. Norton Antivirus does not
detect the worm in usnet posts read by Outlook Express Newsreader or Outlook
Newsreader. Only when you attempt to open the attachment or save the
attachment to disk will Norton identify it. Norton will NOT detect the
virus in the newsgroup posts folder NOR will it detect the newsgroup folder
in a full system scan. It will not remove the infected file from the
newsgroup folder, but it will prevent execution of the vermal payload.

Microsoft Outlook with the SP3 security update when used as your e-mail
reader protects against infection. Prior to 18SEP03 Norton did not.

The worm is also retrieving additional variations, so you can expect the
payload size to begin changing soon. The HTML message is easy to identify;
it is always the same (so far), and includes the phrase 'Run attached file'.
The bogus 'Undeliverable e-mail' variations have no commonality but the
payload attachment (that purports to be your bounced e-mail.) This will
likley change soon.

My guess is that the internet will not open on Monday.

So far, I have seen no copies of the worm on usenet. This may be
the result of my paying $$$ to a good usenet provider (Supernews.)
Unfortunately, my e-mail provider got the stupid idea that "delete"
meant "save a complete copy for 14 days just in case you want
to see it." Most of the stuff is going into two mailboxes that I need
to clean out manually every two or three hours (they're not my inbox,
so the POP3 script won't do it.)

It looks like two worms that just happened to hit at one time,
doesn't it?

John Roth

 

[Phil Weldon]

No, it is only one worm with multiple methods of attack.

#1. The fake 'security update' announcement purporting to be from Microsoft
(this e-mail is in HTML) and that includes an infected attachment. If you
don't have protection, opening this e-mail runs the attachment even if you
don't run it. So far the body of this vector doesn't vary, though the
header information does.

#2. The bogus 'Undeliverable e-mail' message in which everything seems to
vary except, so far, the infected attachment that purports to be your
bounced e-mail.

#3. The worm scans PtoP file-sharing data to spread further.

#4. The worm hijacks servers to act as a source from which to download
packages to vary the infectious e-mail.

#5. The worm can post to usenet. Here's the header of a post that appeared
this morning on alt.comp.periphs.mainboard.abit

Path:
newsspool1.news.atl.earthlink.net!stamper.news.atl.earthlink.net!elnk-atl-nf
1!newsfeed.earthlink.net!newshosting.com!news-xfer2.atl.newshosting.com!prox
ad.net!proxad.net!news-hub.cableinet.net!blueyonder!internal-news-hub.cablei
net.net!news-binary.blueyonder.co.uk.POSTED!53ab2750!not-for-mail
FROM: "Clive Skingle" <[email protected]>
NEWSGROUPS:
alt.comp.lang.php,alt.comp.mail.postfix,alt.comp.mail.qmail,alt.comp.malaysi
a,alt.comp.periphs.cdr,alt.comp.periphs.mainboard.abit,alt.comp.periphs.main
board.asus,alt.comp.periphs.mainboard.gigabyte,alt.comp.periphs.videocards.a
ti
SUBJECT: Watch this critical update from the M$
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="hilghfawbnhbqydk"
Lines: 2182
Message-ID: <[email protected]>
Date: Sat, 20 Sep 2003 11:27:59 GMT
NNTP-Posting-Host: 82.32.208.238
X-Complaints-To: (e-mail address removed)
X-Trace: news-binary.blueyonder.co.uk 1064057279 82.32.208.238 (Sat, 20 Sep
2003 11:27:59 GMT)
NNTP-Posting-Date: Sat, 20 Sep 2003 11:27:59 GMT
Organization: blueyonder (post doesn't reflect views of blueyonder)
Xref: news.earthlink.net alt.comp.lang.php:12068 alt.comp.mail.qmail:7299
alt.comp.malaysia:17767 alt.comp.periphs.cdr:403271
alt.comp.periphs.mainboard.abit:567500
alt.comp.periphs.mainboard.asus:661135
alt.comp.periphs.mainboard.gigabyte:41619
alt.comp.periphs.videocards.ati:145487
X-Received-Date: Sat, 20 Sep 2003 04:28:01 PDT
(newsspool1.news.atl.earthlink.net)

Phil Weldon, (e-mail address removed)

 

[Dennis Lee Bieber]

John Roth fed this fish to the penguins on Saturday 20 September 2003
08:11 am:

So far, I have seen no copies of the worm on usenet. This may be
the result of my paying $$$ to a good usenet provider (Supernews.)
Unfortunately, my e-mail provider got the stupid idea that "delete"
meant "save a complete copy for 14 days just in case you want
to see it." Most of the stuff is going into two mailboxes that I need
to clean out manually every two or three hours (they're not my inbox,
so the POP3 script won't do it.)

Sounds like the "suspect spam" folder I had active on Earthlink... I
was getting "mail box full" emails faster than I could empty that
folder (since it is only accessible via HTTP, and I'm on a dial-up).
I've essentially had to leave my home system running 24 hours a day
with email checks every 8 minutes (the dial-up logs off if idle 10
minutes).

One would think with the rather common format of the subject/from
lines (at least for the M$ Patch variations) the ISP could identify
them as known "spam" (which doesn't count against the 10MB mailbox
limit).

I'd sent an email to their support address... only to receive a form
letter saying they don't accept emails that weren't initiated via their
web site form... And the response to /that/ was never viewed by a
person -- some program scanned it, saw the word "spam" and sent another
form letter specifying they need the full headers of the message
(singular) I was complaining about. Almost makes me want to rig a
filter to send ALL of these to their spam evaluation address -- but if
downloading at ~44K is bad, think of the uplink at ~31K...

--

 

[James Kew]

My guess is that the internet will not open on Monday.

Yeah, well, death of the Internet's been predicted many times before and
hasn't happened yet.

F-Secure's writeup is pretty good at describing the various attacks and
texts the worm uses:
http://www.f-secure.com/v-descs/swen.shtml

FWIW, for me Bayesian filtering is doing a pretty good job on both the fake
security advisories and the fake bounce messages. (Somewhat ashamedly, I'll
admit to using POPFile (Perl) rather than the SpamBayes (Python) -- as a
POP3 proxy solution it seemed slightly slicker at the time...)

James

 

[netvegetable]

It's a worm. Worm.Automat.AGH. This is going to be a bad one. The worm
installs, among other things, an SMPT engine, searches an infected system
for email address, and sends two types of e-mail: the first is HTML and
is a fake "security patch" supposedly from Microsoft. It looks very
official, but the attachment, 104 KBytes long, is infectious. Norton
Antivirus definitions only began to identify it with the 18SEP03 manual
definition update. The worm also posts to usenet newsgroups. The other
type of e-mail is a fake notification of undeliverable e-mail. This one
is a real bear. There seem to be hundreds variations in the body content
and thousands of variations in the header. The infectious package is also
about 104 KBytes. I'm getting nearly 100 of the two types per hour.
Norton Antivirus does not detect the worm in usnet posts read by Outlook
Express Newsreader or Outlook Newsreader. Only when you attempt to open
the attachment or save the attachment to disk will Norton identify it.
Norton will NOT detect the virus in the newsgroup posts folder NOR will it
detect the newsgroup folder in a full system scan. It will not remove the
infected file from the newsgroup folder, but it will prevent execution of
the vermal payload.

Microsoft Outlook with the SP3 security update when used as your e-mail
reader protects against infection. Prior to 18SEP03 Norton did not.

The worm is also retrieving additional variations, so you can expect the
payload size to begin changing soon. The HTML message is easy to
identify; it is always the same (so far), and includes the phrase 'Run
attached file'. The bogus 'Undeliverable e-mail' variations have no
commonality but the payload attachment (that purports to be your bounced
e-mail.) This will likley change soon.

My guess is that the internet will not open on Monday.

The worm uses newsgroup info from Outlook Express as well.

What's to stop a worm from retrieving header file info, and using the NNTP
posting header to actually hack people's computers?

 

[Phil Weldon]

Inboxer for Outlook is a plugin written with Python that will analyze
collections of what you consider legitimate e-mail and and what you consider
illegitimate e-mail. I downloaded it and ran it against a collection of
1500 messages generated by the Worm.Automat.AHB and 265 the latest
legitimate e-mails I've received. After the analysis, Inboxer has detected
about 250 Worm.Automat.AHB generated messages with no false negatives and no
false positives (granted there were only three new legitimate e-mails.

Phil Weldon

 

[Karlheinz klingbeil]

All my mailboxes have been filling up with files of about 130k to 150k, no
doubt copies of some immensely popular virus. So, I've no doubt lost lots
of real mail because of "mailbox full" conditions (the proliferating fake
bounce messages more or less ensure nobody knows their mail to me has
bounced, either).

As an emergency response I and Anna developed, over the last half hour, a
small Python script to be run from cron every few minutes and
automatically
scrub any POP3 mailbox from files in the target size range. I'm saving
them to a local file for potential later perusal, but that's obviously

I have made a quick and dirty pop-cleaner, mor configurable with size, regex
to deny and regular pattern match to explicitly allow mails
look at http://www.lunqual.de/popclean.zip (only 3kb)