I've prepared a couple of scripts which I'm using to report swen headers and body to originating ISPs.
I don't know if it's a result of this or not, but my received Swen has
fallen of significantly Friday 14 Nov. compared with the 24 hours
preceding.
Do *not* trust the scripts to fully automated processing. However if
you can filter viral mail to a separate folder, and weed out any false
positives, the reporting works pretty well.
There is an explicit assumption that the Swen-originating SMTP server
identifies itself accurately. MOST SPAM AND MANY VIRUSES DON'T DO THIS.
These scripts are special purpose.
They're also pretty naive, bash shell and sed respectively. No
warranty, take your own risks, GPL.
Use:
- Two scripts. 'reportSwen' and 'fqdn2domain'. The first reports the
mail. The second returns a domain from an fqdn, and is called by
the first.
- Scripts work on directory-based mail folders (Maildir, MH, etc.).
*NOT* mbox. Sorry.
- The reportSwen script requires modifications -- substitute
appropriate values to match your mailserver, signature, etc.
- You'll need to delete the dummy delivery line and uncomment the true
delivery line. Otherwise you just get a report to stdout ;-)
- There are several possible modifications suggested as well.
- To run on a directory's worth of mail:
$ reportSwen *
- Direct any support questions to this list, not me.
Peace.
--
Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
http://sco.iwethey.org/
#!/bin/sed -nf # # Copyright (C) 2003 Karsten M. Self # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, # Boston, MA 02111-1307, USA. # # ---------------------------------------------------------------------- # # This should be named 'getTLD.sed'. It's a script to trim an FQDN to # just the appropriate registered domain. Useful in filing, say, # complaints to [EMAIL PROTECTED] and [EMAIL PROTECTED] addresses. # # The domains listed are a rough cut, you may need to update the list(s) # over time. # ---------------------------------------------------------------------- # Exceptions. Domains generally in RFC ignorant # (http://www.rfc-ignorant.org). Specific mappings: s/^.*wanadoo\.fr$/francetelecom.com/ # ---------------------------------------------------------------------- # "Standard - nationalized": net|com|edu|gov.<country-TLD> style: /\.\(net\|com\|edu\|mil\|gov\)\.\(ae\|ar\|au\|br\|cn\|do\|il\|mx\|my\|np\|nz\|ph\|pk\|pl\|sg\|tr\|tw\|ua\)$/ { /^.*\.\([^.]\{1,\}\.[^.]\{1,\}\.[^.]\{1,\}\)$/s//\1/p d } # "Commonweath" (ac|co|ne).<country-TLD> style: /\.\(ac\|co\|ne\)\.\(nz\|th\|uk\|za\)$/ { /^.*\.\([^.]\{1,\}\.[^.]\{1,\}\.[^.]\{1,\}\)$/s//\1/p d } # Japan /\.\(ac\|ad\|co\|ed\|go\|gr\|ne\|or\|geo\)\.\(jp\)$/ { /^.*\.\([^.]\{1,\}\.[^.]\{1,\}\.[^.]\{1,\}\)$/s//\1/p d } # State/province + country # Canada /\.\(ab\|bc\|mb\|nb\|nl\|ns\|nt\|nu\|on\|pe\|qc\|sk\|yt\)\.\(ca\)$/ { /^.*\.\([^.]\{1,\}\.[^.]\{1,\}\.[^.]\{1,\}\)$/s//\1/p d } # United States of America /\.\(ak\|al\|ar\|as\|az\|ca\|co\|ct\|dc\|de\|fl\|ga\|gu\|hi\|ia\|id\|il\|in\|ks\|ky\|la\|ma\|md\|me\|mi\|mn\|mo\|mp\|ms\|mt\|nc\|nd\|ne\|nh\|nj\|nm\|nv\|ny\|oh\|ok\|or\|pa\|pr\|ri\|sc\|sd\|tn\|tx\|um\|ut\|va\|vi\|vt\|wa\|wi\|wv\|wy\)\.\(us\)$/ { /^.*\.\([^.]\{1,\}\.[^.]\{1,\}\.[^.]\{1,\}\)$/s//\1/p d } # Other/default (usually: com|org|edu|mil|gov /^.*\.\([^.]\{1,\}\.[^.]\{1,\}\)$/s//\1/p
#!/bin/bash
# reportSwen
# Karsten M. Self
#
# Copyright (c) 2003 Karsten M. Self
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
#
# ----------------------------------------------------------------------
#
# Supply one or more files as arguments, script identifies base domain,
# and sends report to both abuse@ and postmaster@ address.
#
# This requires that the upstream MTA feeding to *your* MTA (or your
# ISP's POP server) be properly identified. Swen does this, other
# viruses or spam may not.
#
# Original design intent is for mailbox formats in which a directory
# contains multiple email messages (e.g.: maildir, MH).
#
# TO MAKE THIS WORK: You will have to modify:
#
# - "MY_SMTP_SERVER" -- supply a string identifying your or your ISP's
# SMTP server.
#
# - "SIGNATURE" -- supply your name and reply address (if you want)
#
# - Edit the recipients list appropriate. Default is to send mail to
# abuse@ and postmaster@ originating domain, plus the US Government's
# UCE reporting address. If you are registered with abuse.net, you
# may wish to add an address for this as well.
#
# - Test the script and see if the results and addresses are as you
# expect.
#
# - Delete the 'dummy' 'cat <<-EOF' line, and uncomment the line above
# it, to enable delivery of mails.
#
# Happy reporting.
#
# ----------------------------------------------------------------------
export PATH=/usr/local/bin:/usr/bin:/bin
# Following string identifies *YOUR* MTA or ISP's SMTP server receiving
# mail.
MY_SMTP_SERVER="YOUR MAILSERVER REGEXP OR STRING"
# Subject of generated mail
SUBJECT="Swen / Virus / Spam mail from your domain - full headers"
# Signature line for mail
SIGNATURE="Your Name <Your email address>"
# FTC spam reporting address
[EMAIL PROTECTED]
# Loop over arguments, report each.
for mail in $*
do
i=$(( i + 1 ))
BASE_DOM=$(
grep -hB 1 "$MY_SMTP_SERVER" $mail |
grep 'Received: from' |
sed -e 's/^Received: from //' -e 's/ .*$//' |
~/bin/fqdn2domain
)
# Skip report if you can't work out domain
if [ "x$BASE_DOM" == "x" ]; then
echo "Null domain, not reporting: $BASE_DOM"
continue;
fi
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
HEADER="$( formail -X '' < $mail | sed -e 's/^/ /' )"
BODY="$(
formail -I '' < $mail |
sed -ne '1,/^TVqQAAMAAAA/p' |
sed -e 's/^/ /'
)"
BODYLINES=$( echo "$BODY" | wc -l | sed -e 's/^[ ]*//' )
REPORT=$( echo "$HEADER\n\n$BODY" )
echo "$i: Reporting to $POSTMASTER, $ABUSE, $ABUSENET, and $FTCUCE"
# Send report
# Uncomment the following line. Delete the line after it.
# cat <<-EOF | mutt -s "$SUBJECT" $ABUSE $POSTMASTER $FTCUCE
cat <<-EOF
The following mail appears to have originated from your domain,
and contains a virus or unsolicited executable content.
It's quite likely the sender's box is infected.
I request that outbound SMTP traffic from the source box be
disabled, and the subscriber or owner notified.
Headers and $BODYLINES lines of body (to the start of the viral payload)
follow.
$SIGNATURE
---------------------------------------------------------------------
$REPORT
---------------------------------------------------------------------
EOF
done
pgp00000.pgp
Description: PGP signature
