MyDoom mailbox cleanup as a learning experience

By David on January 27, 2004 9:04 PM

When I chose my PopClean.java mailbox cleaner utility as the subject of the first entry of my new blog, I didn't think I'd be using it again just a few days later....

A good spam filter will delete these messages for you, but if you do your filtering on the client side, then you still have to download all the spam. My utility is based on the fact that virus-spawned spam has predictable subject lines and sizes. It deletes the messages directly from the POP mailbox without ever downloading them.

If you're going to have to delete a bunch of virus-generated messages from your inbox, you might as well make a learning experience out of it. Here's what I did to clean my mailbox...

Before you go any further, though, know that this is not production code, and you use it at your own risk. It works for me, and it is an educational exploration of Java networking and the POP3 protocol. But it permanently deletes data and if you misuse it (or if it has bugs that I don't know about) you could lose email messages. Instead of just compiling and running the code, I suggest you read it through, learn from it, and then decide if you want to use it.

With that said, here's how I used it. First, I poked noticed that the MyDoom messages I had already deleted had subject lines like "hi", "hello" and "test" (and also in initial capitals and all caps). I telnetted to my POP server to inspect the size of some of these messages and found (from a small sample) that they appeared to be between about 32,000 and 32,500 bytes long.

With that data in hand, I invoked PopClean like this (a single command line wrapped to 2 lines): 

java PopClean -host pop.example.com -user dflanagan -pass notreally 
              
-size 32000 -subject "(?i)(hi|hello|test)" -list

The -size argument tells PopClean to only consider messages longer than 32,000 bytes. (I don't have an option for a maximum size, only a minimum size.) The -subject argument is a java.util.regex.Pattern regular expression. The "(?i)" makes the match case-insensitive.

The -list argument in the command-line above tells PopClean to just list matching (size and subject line) messages. Once I was satisfied that PopClean was matching the messages I wanted and not others, I took the -list argument away. PopClean printed: 

Connecting to pop.example.com on port 110 with username dflanagan.
Will delete all messages longer than 32000 bytes
that have a subject matching: [(?i)(hi|hello|test)]
 
Do you want to proceed (y/n) [n]:

I happily responded with 'y', and saw 368 messages that looked like this: 

Deleted message 3276: test
Deleted message 3279: hi
Deleted message 3280: TEST
Deleted message 3281: Hello
Deleted message 3283: hi
Deleted message 3289: test
Deleted message 3290: hi
Deleted message 3296: Test
Deleted message 3298: test
Deleted message 3299: Hello

Bliss!

Books

Comprehensive coverage of Ruby 1.8 and 1.9

"The New Most Important Ruby Book"
Peter Cooper,
rubyinside.com

Completely updated for Ajax and Web 2.0

"A must-have reference"
Brendan Eich,
creator of JavaScript

The classic Java quick-reference