De-Sircam-ify

Sircam mail filter for Unix

[ Main ] [ PSU Math Instructions ]

De-Sircam-ify is a utility I developed when I had trouble finding a commercial mail filter for the Windows trojan/worm called Sircam and was tired of being inundated by the annoying messages. While I am primarily a Unix user and not worried about my own infection, I am personally sick of deleting over 40 messages a day. I have also ran into space problems as Sircam likes to fill up system mail spools dangerously close to their maximum. I hope to soon release this in the usual open source style in hopes it will be useful. Good ol' selfish ingenuity paving the way for generousity?

What this is

desircamify is a Perl script designed to be called from .forward or /etc/aliases on a Unix account and deliver only messages uninfected by Sircam. I have also gone great lengths to make it compatible to various other residents of .forward files including forwarding addresses, vacation, and various other filters and sorting programs. Here's a list of what is ready:

Latest Version: 0.91.1.6 (beta) [Nov 9, 2001]
Feature Status
System Mail Delivery Ready, and compatible with (presumably) all MUAs (via standard MDA). This includes Mailtool, Pine, Elm, Applix Mail, Netscape Mail and others. biff should also work in its various incarnations.
forwarding Ready. Since this is called from userspace, Return-Path is not updated. X-Comments is added to carry trace info.
vacation Not tested, however 'vacation' may still work (but just reply to every infected message). I intend to handle vacation specially so it replies to only uninfected messages in a future release.
MH (slocal) Ready and working.
Procmail Coming soon
Elm Filter Coming soon (if there's enough need)
Portable outside MathNet Coming soon.

What this is not

This is not a program for Windows, or non-Unix OS (still haven't bothered making it portable outside of Math, let alone most Unix). It will not disinfect a computer already infected, or scan files that may have it (in only checks for the email message signature). It will also not remove an infected attachment from an email as my desired feature was to drop those emails completely. I have found commercial programs for those, luckily.

How it flags an infection

desircamify simply looks for a RFC 1521 compliant multipart MIME encoded message that has the Sircam worm signature in the body. My signature definitions will only flag a message that:

  1. lines 1, 3, and 5 of the first MIME part body match one of the 4 English or 4 Spanish variations
  2. the case of all of the words must match exactly
  3. spacing must be exact within the signature
  4. all punctuation marks can be any combination of literal or quoted-printable notation (of either case)
  5. Currently the content of lines 2 and 4, and additional lines are not checked. Also, a Perl regex match// is used to detect the signature. It will flag a message as infected that includes junk before or after the signature on each line. For instance a message that was simply replied to (with "> " indents) may be flagged. This will be made more strict in a future version.

I referenced a few different anti-virus sites when I built the definitions, including

Downloading

--== General Community ==--

I hope to polish this up a bit soon before stamping a license and distributing it here. Stay tuned for a 1.0-pre release.

--== Penn State Math Department Users ==--

See the PSU Math Instructions for use page.

Usage

desircamify - for interactive mode (coming soon)

desircamify [options] - for normal filtering

Options Table

argument explanation
-u username Place your username here. This usually isn't required as it will try to guess your name from shell variables, but may help prevent it from failing. It is required if you don't use any other arguments.
-e error-file Specify the full path of the error log file you wish to use. Otherwise errors will silently go to /dev/null.
-f forward@address.net Use this option to forward your filtered mail to another account. This takes precedence over -p.
-p program Use an additional filtering/sorting program. Accepted values are: slocal (elmfilter, and procmail are coming soon). [if absent, it will deliver to system mail]
-v 0 verbosity: 0=drop all infected email silently, 1=send a message indicating an email was found, 2=like option 1, but include full headers. [if absent, default=0]
-d 0 Debug level: 0=no debugging messages, 1=some, 2=all (mainly for coding uses). [if absent, default=0]
NOTE: You need at least one argument, or it will trigger an interactive mode that I am working on. Calling desircamify from .forward without arguments will prevent any mail from reaching you.

Jeff D'Angelo <dangelo@math.psu.edu > Last updated: Saturday, 10-Nov-2001 13:53:58 EST