[linux-elitists] Pubcam

Jonathan Corbet corbet-elite@lwn.net
Fri Aug 3 12:59:38 PDT 2001

Given that people were pondering making sircam output public, here's a
little script that I just found (at http://www.hartnup.net/pubcam/pubcam)
via NTK.  But then, you *do* all read NTK, right?


#!/usr/bin/perl -w

# pubcam: Extract any attachments from SirCam from a UNIX mbox file, 
#         and produce an index.html listing the files and who's address
#         they came from.
# requires MIME::Base64 module from CPAN.
# public domain, do what you like with it. I suggest you change the text
# in sub html_(head|tail) before publishing HTML generated by this.
# If you fancy making it posher (e.g. sort the list) go ahead.

use strict;
use MIME::Base64;

my $mbox = shift;

open MBOX, $mbox or die "Could not open $mbox: $!";

my %culprits=();
my %dates=();

my $sircam = 0;
my $address = "Unknown";
my $date = "Unknown";
my $boundary = "none";

while(my $line=<MBOX>)
	$line =~ m/^From: *(.*)/i and $address = $1;
	$line =~ m/^Date: *(.*)/i and $date = $1;

	# detect sircamness, you may need to add more of these lines, e.g.
	# for the spanish version, which I have not seen

	$line =~ m/Hi! How are you/ and $sircam = 1;
	if($line =~ m/^Content-Type: multipart\/mixed; *boundary="(.*)"/i)


	if($line =~ m/^Content-Disposition: attachment; *filename=(.*)/i
           and $sircam )
		my $filename = $1;
		$filename =~ s/"//g;
		$filename =~ s/\s/_/g;
		$filename =~ s/\.[^\.]*$//; # lose last extension

		$culprits{$filename} = 
		$dates{$filename} = $date;
		# read on to start of base64
			chomp $line;
			last if $line eq "";
		$sircam = 0; # reset for next time

print "Writing index.html\n";
open HTML, ">index.html" or die "Could not open index html for writing: $!";
print HTML &html_head;
print HTML "<table border=1><tr><td><strong>Filename</strong><td><strong>From</strong><td><strong>Date</strong>";
foreach my $fn (keys %culprits)
	print HTML "<tr><td><a href=\"$fn\">$fn</a><td>$culprits{$fn}<td>$dates{$fn}\n";
print HTML "</table>\n";
print HTML &html_tail;
close HTML;

sub extractfile
	my $fn = shift;
	my $tmp_fn = "/tmp/$fn.tmp.$$";
	my $ac_len = 0;        # accumlated length of decoded b64
	my $sc_len = 512*268;  # length of sircam virus 

	print "Writing $tmp_fn\n";
	open OUT, ">$tmp_fn" or die "Could not open $tmp_fn for writing: $!";

		last if $_ =~ /^\s*$/;
		print OUT decode_base64($_);
	close OUT;

	print "Stripping virus and writing to $fn\n";
	system("dd bs=512 skip=268 if=$tmp_fn of=$fn && rm $tmp_fn");


sub html_escape
	my $in=shift;
	$in =~ s/</&lt;/g;
	$in =~ s/>/&gt;/g;
	return $in;

sub cowardify_address
	my $in=shift;
	$in =~ s/@[^>]*/@\.\.\./;
	return $in;

sub html_head
<head><title>Things SirCam has sent me</title></head>
<h1>Things SirCam has sent me</h1>

I am immune to the SirCam virus. Not only do I not use Windows, but I don't
tend to open attachments which could contain executable code or macros,
without having a good idea what they are first.
Nonetheless, my mailbox has begun to fill up with messages from complete
strangers, as a result of their falling foul of SirCam. I've mailed them
asking them to sort it out. None of them have replied, either to apologise,
ask for further assistance, nothing.
... so I don't feel bad about putting their (possibly private) attachments
up on this web page. In a fit of generosity, I trimmed the culprits' 
email addresses down for publication here.
These files have been stripped of the SirCam virus
(using \"dd bs=512 skip=268\" on Linux) but I can't guarantee they're free 
of any other virus. Remember whos machines they came from originally!
I don't have the programs necessary to view many of these documents, although
I can look at the text content with \"strings\" for a vague idea.
There were quite a few more, but I deleted them, before having the bright 
idea of publishing them here. Shame, one of them was called \"RealGirlShag.zip\".
Maybe I'll get it again; I seem to get several a day.
Have fun.

sub html_tail
return "
If you have the SirCam virus, do yourself a favour:
<li>Configure your mail reader so it doesn't hide double extensions. SirCam 
   sends things called (e.g.)\"my secrets.doc.exe\". Your mail reader might hide
   the \".exe\" so you think it's just \"my secrets.doc\", and open it.
<li>Think carefully before opening attachments anyway
<li>Get an antivirus program, and run it. And keep running it regularly.
You can produce a page like this one with the minimum effort, if you
keep your mail in a UNIX style mbox file, using <a href=\"../pubcam/pubcam\">
PubCam</a>, a Perl script which extracts any SirCam-attached files, strips
off the virus, and produces an index.html file like this one.

More information about the linux-elitists mailing list