Swen Detection code
logistix at cathoderaymission.net
logistix at cathoderaymission.net
Sat Sep 20 18:18:54 EDT 2003
Writing pop3 filters in python seems to be a pretty popular activity
today. ;)
So far it looks like the actual executable attachment isn't mutating
like subject lines, from and to fields are. I wrote some code that
scans message bodies for content-types that shouldn't be executable
(such as midis and wavs) and also scans content-types that should be
executable for the virus signature.
I just included the whole base64 encoded virus in the source file so
it's too large to post to usenet. The code is available at:
http://www.cathoderaymission.net/~logistix/python/detectSwen.py
(I'll also email if anyone requests).
This code does NOT interface with pop or hit your mailserver. It only
provides a predicate function for virus signature detection. It also
doesn't do anything with bad bounces where the attachment has been
stripped.
As usual, use care when automatically deleting emails.
It'd also be a bad idea to do something like
file("test.exe","wb").write(base64.decodestring(virusSig))) ;)
More information about the Python-list
mailing list