Procmail and obfusticated spam

Wed, 03 Sep 2003 04:14:53 GMT

As a result of the torrent of spam I've been receiving from the Sobig.F virus, my tolerance for spam is at an all-time low. Like most people I get my share of 'medical' spam, offering products to increase, decrease or otherwise modify various parts of my anatomy. In the past most of these have gone to an email address I have kept for web use and were therefore easy to catch, but I'm now starting to get them on my primary email address as well. I therefore decided to whip up a procmail recipe to deal with them, using a list of keywords and procmail scoring. However, as I soon learned, the spammers have tried to prevent you doing this by obfusticating the contents of the spam. They do this by sending out HTML-format emails, and obfusticating the HTML so that a simple keyword match won't work. However, with a small perl script and a little bit of procmail magic, this was easily circumvented. I've written this up because I think it show some useful and underused features of both perl and procmail. If you are interested, read on.

Sobig.F ... So bad

Mon, 01 Sep 2003 09:03:00 GMT

I've been away on holiday for the last two weeks, and when I got back on Saturday I tried to access my email at work - big, big mistake. I have some procmail filters that catch most of my spam and put them in a seperate folder. This filled up with 2Gb (!) of spam - mostly Sobig.F, then procmail wrote another 2.5Gb of spam into some other files for good measure (filling up the filesystem containing my home directory) and then started to dump everything in my inbox - which also filled up to 2Gb. When I tried to open my inbox, the IMAP server blew a fuse and started dropping 2Gb copies of my inbox on the mailserver, which also filled up - then nobody in my office could use email either. Fortunately it was the weekend, so with the help of a friendly IT support person I managed to unclog my home directory and inbox, leaving me with the mind-numbing task of wading through the 35,000 messages that had ended in my inbox.

After the immediate panic was over I started monitoring the incoming stream of spam. Nearly all of it is Sobig.F or the consequential email bounces caused by it - I'm getting about 1/2Gb of spam (about 6000 messages) a day, which is absolutely ridiculous. Nicholas Clark, a friend of mine, has received over 100,000 copies of Sobig.F since the outbreak started, yet we are told the outbreak is not all that bad!

The direct spams are bad enough, but the bounced emails are the last straw. One of the nasty traits of Sobig.F is that it forges the 'From:' line in the virus-laden emails it spews out. Why do all the people who set up email filtering insist on sending back bounce messages, when 99% of the time the 'From:' address is incorrect? This widespread practice is pointless and only increases the amount of crap clogging up everyone's bandwidth and mailboxes.

Anyway, if anyone else out there in spamland uses procmail, the following recipe will catch Sobig.F:

:0 HB
* ^X-Mailer: Microsoft Outlook Express 6.00.2600.0000
* ^X-MailScanner: Found to be clean
* ^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
* ^AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
Spam

Alan's Ramblings - spam tag

Procmail and obfusticated spam

Sobig.F ... So bad