python script as an emergency mailbox cleaner

Phil Weldon pweldon at mindspring.com
Sat Sep 20 10:37:45 EDT 2003


It's a worm.  Worm.Automat.AGH.  This is going to be a bad one.  The worm
installs, among other things, an SMPT engine, searches an infected system
for email address, and sends two types of e-mail:  the first is HTML and is
a fake "security patch" supposedly from Microsoft.  It looks very official,
but the attachment, 104 KBytes long, is infectious.  Norton Antivirus
definitions only began to identify it with the 18SEP03 manual definition
update.  The worm also posts to usenet newsgroups.  The other type of e-mail
is a fake notification of undeliverable e-mail.  This one is a real bear.
There seem to be hundreds variations in the body content and thousands of
variations in the header.  The infectious package is also about 104 KBytes.
I'm getting nearly 100 of the two types per hour.  Norton Antivirus does not
detect the worm in usnet posts read by Outlook Express Newsreader or Outlook
Newsreader.  Only when you attempt to open the attachment or save the
attachment to disk will Norton identify it.  Norton will NOT detect the
virus in the newsgroup posts folder NOR will it detect the newsgroup folder
in a full system scan.  It will not remove the infected file from the
newsgroup folder, but it will prevent execution of the vermal payload.

Microsoft Outlook with the SP3 security update when used as your e-mail
reader protects against infection.  Prior to 18SEP03 Norton did not.

The worm is also retrieving additional variations, so you can expect the
payload size to begin changing soon.  The HTML message is easy to identify;
it is always the same (so far), and includes the phrase 'Run attached file'.
The bogus 'Undeliverable e-mail' variations have no commonality but the
payload attachment (that purports to be your bounced e-mail.)  This will
likley change soon.

My guess is that the internet will not open on Monday.

Phil Weldon, pweldon at mindspring.com

"Alex Martelli" <aleax at aleax.it> wrote in message
news:G6Zab.127313$R32.3854946 at news2.tin.it...
> All my mailboxes have been filling up with files of about 130k to 150k, no
> doubt copies of some immensely popular virus.  So, I've no doubt lost lots
> of real mail because of "mailbox full" conditions (the proliferating fake
> bounce messages more or less ensure nobody knows their mail to me has
> bounced, either).
>
> As an emergency response I and Anna developed, over the last half hour, a
> small Python script to be run from cron every few minutes and
automatically
> scrub any POP3 mailbox from files in the target size range.  I'm saving
them
> to a local file for potential later perusal, but that's obviously easy to
> comment out if needed.  Here's the tiny script in question...:
>
> import poplib
> import time
>
> print 'Start at', time.asctime()
>
> host = 'pop.mail.yahoo.com'
> port = 110
> user = 'aleaxit'
> pasw = 'secret'
>
> logfilename = 'bigjunk'
> minsize = 130000
> maxsize = 180000
> fromtag = 'From aleaxit at yahoo.com  %s\n'
>
> ps = poplib.POP3(host, port)
> ps.user(user)
> ps.pass_(pasw)
>
> messages = ps.list()
> print '%d messages, %d bytes' % (len(messages[1]), messages[-1])
>
> logfile = open(logfilename, 'a')
>
> for sms in messages[1]:
>     sid, ssize = sms.split()
>     if minsize <= int(ssize) < maxsize:
>         message = ps.retr(sid)
>         print 'retrieving and deleting msg#%s, %d bytes, %d lines' % (
>             sid, message[-1], len(message[1]))
>         logfile.write(fromtag % time.asctime())
>         for line in message[1]:
>             logfile.write(line)
>             logfile.write("\n")
>         logfile.write('\n')
>         ps.dele(sid)
>
> ps.quit()
>
> print 'Done at', time.asctime()
> print
>
>
> Hope it can come in useful to somebody...!!!
>
> Alex & Anna
>






More information about the Python-list mailing list