SwenDeleter Home Page
The newest version is 1.4.1.
Swendeleter 1.4.1 was released last Mon, 19 Jan 2004.
SwenDeleter 1.4 was released last Sun, 26 Oct 2003.
Ron Newman reported a false positive, a mail bigger than 105K whose
headers matched the patterns we use to identify the worm. It's the only
one that we are aware of in the whole life of the project, but be
careful and run the script preferably in interactive mode if you can.
No false negative has been reported since 1.3 was released (that was
Fri, 26 Sep 2003 21:34:59 UTC).
SwenDeleter tries to identify email messages infected with the Swen.A
worm in POP3 mailboxes and delete them on the server. It applies some
heuristics to the headers and size of the messages, in order to avoid
downloading the actual email, thus making retrievals less taxing. It has
both interactive and nonstop modes.
This is a SwenDeleter session in interactive mode:
Just unpack the selected SwenDeleter distribution in a directory of your
choice and be sure the following requirements are alright:
Unix:
SwenDeleter requires Perl and Graham Barr's Net::POP3 Perl module,
which can be installed system-wide running the following command as
root:
# perl -MCPAN -e 'install Net::POP3'
or locally following the instructions you'll find in this FAQ:
$ perldoc -q 'my own module'
To turn off password echoing Term::ReadKey is needed:
# perl -MCPAN -e 'install Term::ReadKey'
Windows:
The precompiled version of SwenDeleter is a self-contained Windows
executable, it has no dependencies. Works out of the box.
If you downloaded the source code Perl is required to be installed
in the computer. Go install ActivePerl from
http://www.activeperl.com
ActivePerl comes already with Net::POP3, but to turn off password
echoing Term::ReadKey is needed, run this in a command line:
C:\>ppm install TermReadKey
(That's right, no colons.)
OS/2:
Please, see the instructions in README.OS2.
Usage of the source code version (platform independent):
perl swendeleter.pl [options]
Usage of the precompiled version for Windows:
swendeleter [options]
Windows users have to execute those commands from a command line prompt
(Start -> Run -> <type "cmd" in the text field>).
Options:
-s pop3_server
Sets the POP3 server. The program will ask it if unset.
-l login
Sets the login. The program will ask it if unset.
-p password
Sets the password. The program will ask it if unset and if the
terminal can the password dialog won't echo it. Just try and see
if it works in your system (tested in Linux, Windows XP, and Mac
OS X).
-t threshold_in_bytes
Messages whose size in bytes is strictly less than this value are
assumed not to be infected. Defaults to Swen size (106496 bytes).
This is provided mainly to be able to rise the threshold. If this
threshold is less than the default false negatives will surely occur.
-h
Enables highlighting of identified patterns in suspiciuos headers.
-n
Turns nonstop mode on, which deletes all suspicious mail without
confirmation.
This POP3 filter tries to identify mails containing the Swen.A worm
(also known as Gibe.E) taking into account the message size and some
patterns in the headers. Only messages whose size is greater than Swen's
are inspected. That's close to 105K.
The objective is to _avoid their download_, which is desirable in slow
connections where a few MBs of mail can take a few minutes to get.
The filter can run in interactive mode, showing the patterns found and
asking the user for deletion on the server, or in nonstop mode, which
deletes any suspicious mails automatically, being suitable for nightly
removals scheduled with cron(8). See usage above.
In interactive mode messages are NOT actually deleted from the server
until the user confirms he wants it when all messages have been
inspected.
Please, bear in mind that since we do not download the mails the tests
are are not infallible, so run the filter in nonstop mode at your own
risk.
In any case _no mails are actually downloaded_, so after the filtering
normal email can be retrieved from the everyday mail client as usual.
The heuristics we use are based on the worm studies published in
http://www.f-secure.com/v-descs/swen.shtml
http://www.pandasoftware.es/virus_info/enciclopedia/verficha.aspx?lst=det&idvirus=40743
http://viruslist.com/eng/viruslist.html?id=88029
In particular, some ~14K messages I have received that look similar
are NOT being filtered with the default settings. The worm's size is
105K, so I am not even sure those small mails have anything to do with
Swen at all.
Full scanners as those configurations for SpamAssassin and friends
that are being published in some forums inspect the full email, which
implies its download. They can fight the worm with more information
and thus more effectively, so use them if you can and don't care about
the download.
Otherwise, this script has proven to be a superb help to me.
Feedback is becoming the most important driver of this project, the
improvements, bug fixes, and frequent updates wouldn't be possible
without the contributions I am receiving. Thank you all!!!
As new releases are published the filter gets better and better. But to
be able to fight effectively the worm your collaboration is very
important. If you get a false negative whose size is greater than 105K
send me the headers please!
If you would like to be notified of new releases by mail please get a
userid in Freshmeat, go to
http://freshmeat.net/projects/swendeleter
and click on "Subscribe to new releases". It's in the central
gray box to the right.
Version 1.4.1:
* Fixed threshold handling (thanks to Urlap Urlap).
Version 1.4:
* Minor documentation improvements.
* Minor logging fixes.
* New -t option to configure size threshold.
* New -h to enable highlighting.
* Server, login, and password, can be entered interactively.
Version 1.3:
* Automated testing and database of headers for regressions.
* Some refactoring.
* Patterns revised taking a third study into account (thanks to
Maurice Lanselle) and some false negatives.
* Fixed a bug related to qr//i that caused some false negatives
(thanks to Ron Newman).
* Non-existing relevant headers are taken as an indication of infection.
* We do not longer assume From:, To:, and Subject: exist (that gave
some warnings about the use of uninitialized values).
* Code clean up.
* Fixed a bug that disabled ANSI escape sequences on Mac OS X
(thanks to Spoon from Freenode#perl).
Version 1.2:
* Patterns are stronger.
* README.OS2 added (thanks to Franz Bakan).
* Code clean up.
* Better performance.
* New -v option prints version.
Version 1.1:
* Home page update.
* Zip files for Windows are generated.
* Precompiled binaries for Windows are distributed.
* Settings are passed as parameters.
Version 1.0:
* Initial release.
Copyright (c) 2003 Xavier Noria. All rights reserved. This program is
free software; you can redistribute it and/or modify it under the same
terms as Perl itself.