Tales and thoughts from the founder of NormSoft (maker of Pocket Tunes), working and living in St. Croix, USVI

Thursday, March 04, 2004

Virus Block

Hmm, my blog is turning into a list of complaints about email.  I promise to post something Palm-related soon!

So I finally get fed up with all the viruses I've been getting via email lately (several hundred per day; it makes my Treo 600 nearly useless for receiving emails), so I wrote a Perl script and filtered all my email through it.  Any email with an attachment that ends with .com, .exe, .scr, .bat, or .pif will be blocked.  Unfortunately, that doesn't cover the new viruses like Netsky that send ZIP files.  After some thought (and copious searching of CPAN for useful modules), I added code to extract ZIP attachments from all emails received and parse the contents.  Here's the algorithm I used:

  • If the ZIP file contains a .com, .scr or .pif file, it's blocked.  No one sends those files these days.
  • If the ZIP file contains a .exe file, then check to see if it has a double-extension (e.g. ".htm.exe").  If so, block it.
Netsky sometimes sends out viruses that are in ZIP files without a double extension (e.g. document.exe inside document.zip).  So those will get through.  But I think I've hit about 99% of the viruses I get every day, so I'm pretty happy with this figure.
Just in case I'm blocking any legitimate emails, I log all the blocked emails to a directory and email a report to myself once a day.  A quick two-second scan of the subjects is enough to tell me that they're all trash.
If you're interested in the Perl code, I'd be happy to share it.  Just send me an email.  It works as a qmail command, but I'm sure you could modify it for your use.

No comments: