Blocking Sobig (and Other Viruses) with Regular Expressions

The more we hear about the Sobig virus, the more people are saying how creative it is. It reads MX records. It's got its own mail server. That's all fine and good but if we look at the email headers, we see where the virus writer skimped to save time. The headers are rather uniform. Yes, the subject changes, but there are actually only eight subjects and they're all the same (basically).

Let's look at the subjects first:

• Your details
• Details
• My details
• Approved
• Wicked screensaver
• That movie
• Your application
• Thank you!

What this pattern says is that a line starts with 0 or more RE: followed by one of the subjects in question followed by 0 or more spaces. That's the entire subject. I've tested this against many thousands of messages and it has not failed once. (We'll talk about how to use this in a few moments.)

There are other things in the header that can be examined as well. The Date header shows an error half of the time where a negative time zone has an added minus. This is something that's never done by 'real' mail programs.

Date: Wed, 20 Aug 2003 12:32:18 --0500

Additionally, the following 5 mail headers exist in every instance of the spam in this exact order:

• X-MailScanner: Found to be clean
• Importance: Normal
• X-Mailer: Microsoft Outlook Express 6.00.2600.0000
• X-MSMail-Priority: Normal
• X-Priority: 3 (Normal)

Now the question is, how can we use this information to automatically detect and delete the virus?

1. We start by using a CFPOP tag to get all of the headers from a mail account.
2. We then do a CFLOOP over the query returned from CFPOP and run this code against the subject.
3. If it's a hit, we add it to a list of bad messages.
4. We then send that list back up to the mail server using CFPOP to automatically delete the messages.

Here is the code we would end up with:

<cfpop action="GETHEADERONLY" name="qSpam" server="houseoffusion.com"
timeout="180" username="bh@houseoffusion.com" password="password">
<!--- our list of spam message numbers--->
<CFSET lSpam="">
<CFLOOP query="qSpam">
<CFIF REFind('^(Re: ?)*(Your details|Details|My details|Approved|Wicked
screensaver|That movie|Your application|Thank you!)[[:space:]]*$', subject)>
<CFSET lSpam=ListAppend(lSpam, messagenumber)>
</CFIF>
</CFLOOP>
<CFIF Len(lSpam)>
<cfpop action="DELETE" messagenumber="#lSpam#" server="houseoffusion.com"
timeout="180" username="bh@houseoffusion.com" password="password">
</CFIF>
		

As we can see, this is a really fast and simple way to clean out a mailbox from a virus and can easily be integrated into any type of mail processing code to detect viruses. One fantastic thing about most viruses is that the person that wrote them spends most of their time on the virus itself and not on the email being sent. A little rotation of the subject is not enough to really hide the fact that it is a virus. As we saw with this virus, one line of code can detect it with 100% accuracy just from the subject. The same is true with most other email viruses around. The same is true with most spam, for that matter. Simple pattern analysis of the headers can show what an email truly is, and that can be used as the basis of many applications. We have a server-side anti-spam package that people can use to view their email that is based totally on this concept. But that is a topic for another day. : )

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie