Sircam mail filter for Unix
[ Main ] [ PSU Math Instructions ]
De-Sircam-ify is a utility I developed when I had trouble finding a commercial mail filter for the Windows trojan/worm called Sircam and was tired of being inundated by the annoying messages. While I am primarily a Unix user and not worried about my own infection, I am personally sick of deleting over 40 messages a day. I have also ran into space problems as Sircam likes to fill up system mail spools dangerously close to their maximum. I hope to soon release this in the usual open source style in hopes it will be useful. Good ol' selfish ingenuity paving the way for generousity?
desircamify is a Perl script designed to be called from .forward or /etc/aliases on a Unix account and deliver only messages uninfected by Sircam. I have also gone great lengths to make it compatible to various other residents of .forward files including forwarding addresses, vacation, and various other filters and sorting programs. Here's a list of what is ready:
|Latest Version:||0.91.1.6 (beta) [Nov 9, 2001]|
|System Mail Delivery||Ready, and compatible with (presumably) all MUAs (via standard MDA). This includes Mailtool, Pine, Elm, Applix Mail, Netscape Mail and others. biff should also work in its various incarnations.|
|forwarding||Ready. Since this is called from userspace, Return-Path is not updated. X-Comments is added to carry trace info.|
|vacation||Not tested, however 'vacation' may still work (but just reply to every infected message). I intend to handle vacation specially so it replies to only uninfected messages in a future release.|
|MH (slocal)||Ready and working.|
|Elm Filter||Coming soon (if there's enough need)|
|Portable outside MathNet||Coming soon.|
This is not a program for Windows, or non-Unix OS (still haven't bothered making it portable outside of Math, let alone most Unix). It will not disinfect a computer already infected, or scan files that may have it (in only checks for the email message signature). It will also not remove an infected attachment from an email as my desired feature was to drop those emails completely. I have found commercial programs for those, luckily.
desircamify simply looks for a RFC 1521 compliant multipart MIME encoded message that has the Sircam worm signature in the body. My signature definitions will only flag a message that:
I referenced a few different anti-virus sites when I built the definitions, including
I hope to polish this up a bit soon before stamping a license and distributing it here. Stay tuned for a 1.0-pre release.
See the PSU Math Instructions for use page.
desircamify - for interactive mode (coming soon)
desircamify [options] - for normal filtering
|-u username||Place your username here. This usually isn't required as it will try to guess your name from shell variables, but may help prevent it from failing. It is required if you don't use any other arguments.|
|-e error-file||Specify the full path of the error log file you wish to use. Otherwise errors will silently go to /dev/null.|
|-f firstname.lastname@example.org||Use this option to forward your filtered mail to another account. This takes precedence over -p.|
|-p program||Use an additional filtering/sorting program. Accepted values are: slocal (elmfilter, and procmail are coming soon). [if absent, it will deliver to system mail]|
|-v 0||verbosity: 0=drop all infected email silently, 1=send a message indicating an email was found, 2=like option 1, but include full headers. [if absent, default=0]|
|-d 0||Debug level: 0=no debugging messages, 1=some, 2=all (mainly for coding uses). [if absent, default=0]|
|NOTE: You need at least one argument, or it will trigger an interactive mode that I am working on. Calling desircamify from .forward without arguments will prevent any mail from reaching you.|
Jeff D'Angelo <email@example.com > Last updated: Saturday, 10-Nov-2001 13:53:58 EST