Hello all,
I just got word that SirCam-infected mails were clogging our outgoing
queue. So I whipped up this little program which will purge your queue of
SirCam-infected mail. It writes a log (/tmp/sircam.log) containing the
list of your users who are infected (may be useful if you have lots of
users).
Note that this method is much smarter than blindly grepping your outgoing
queue, it minimizes disk usage and can go through a 5GB queue in seconds.
=)
I'm sending this to the list in the hope that you'll find it useful. Note
that it only works on sendmail. I think Postfix already has a better
method of doing this sort of thing..
--
Orlando Andico <[EMAIL PROTECTED]>
Mosaic Communications, Inc.
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GE d(-) s: a-25 C++++ UBLSI++++$ P+++ L+++>++++ E- W++ N(+)
o K? w O-- M- !V PS(++) PE- Y PGP-- t(+)@ 5(+) X++@ R(+) tv@
b++ DI++ G e++@ h--(*) r% y+
------END GEEK CODE BLOCK------
#!/usr/local/bin/perl
# remove files from mail queue which contain SirCam
use IO::Handle;
# just change this line to point to your spool directory
@files = `/bin/ls /mq/1/dff*`;
open (LOG, ">>/tmp/sircam.log") or die;
LOG->autoflush (1);
my $total = 0;
for (@files) {
my $this = $_;
chomp ($this);
# now check the size (has to be 200K or more)
my @arr = stat($this);
my $size = @arr[7];
if (($size > 200000) && ($size < 220000)) {
print STDERR "Testing: $this ($size): ";
# read in the first few bytes from the file,
# then look for the telltale signs..
my $chunk = undef;
if (open (FH, "<$this")) {
read (FH, $chunk, 5000);
close (FH);
}
if ($chunk) {
if ($chunk =~ /I send you this file in order to have your
advice/m) {
$total++;
print STDERR "contains SirCam\n";
my $data_file = $this;
my $control_file = $this;
$control_file =~ s/dff/qff/g;
# open the control file, get the username
# so we can log that this guy is infected
open (FH, "<$control_file");
read (FH, $chunk2, 400);
close (FH);
my $user = "(bounced)";
if ($chunk2 =~ /^RPFD:(.*)/m) {
$user = $1;
print LOG $user, "\n";
}
print STDERR "\t$user: $data_file $control_file\n";
unlink ($data_file);
unlink ($control_file);
# if ($chunk contains sentence)
} else {
print STDERR "is clean\n";
}
} # if ($chunk)
} # if ($size)
} # big FOR
print LOG "\nTOTAL $total files\n\n";
close (LOG);
