#!/usr/bin/perl

# pubcam: Extract any attachments from SirCam from a UNIX mbox file, 
#         and produce an index.php listing the files and who's address
#         they came from.
# 
# requires MIME::Base64 module from CPAN.
#
# public domain, do what you like with it. I suggest you change the text
# in sub html_(head|tail) before publishing HTML generated by this.
# If you fancy making it posher (e.g. sort the list) go ahead.

## output slightly modified by pgl@yoyo.org

use warnings;
use strict;
use MIME::Base64;

my $mbox = shift;

open MBOX, $mbox or die "Could not open $mbox: $!";

my %culprits=();
my %dates=();

my $sircam = 0;
my $address = "Unknown";
my $date = "Unknown";
my $boundary = "none";

while(my $line=<MBOX>)
{
	$line =~ m/^From: *(.*)/i and $address = $1;
	$line =~ m/^Date: *(.*)/i and $date = $1;

	# detect sircamness, you may need to add more of these lines, e.g.
	# for the spanish version, which I have not seen

	$line =~ m/Hi! How are you/ and $sircam = 1;
        
	if($line =~ m/^Content-Type: multipart\/mixed; *boundary="(.*)"/i)
	{
		$boundary=$1;
	}

	

	if($line =~ m/^Content-Disposition: attachment; *filename=(.*)/i
           and $sircam )
	{
		my $filename = $1;
		$filename =~ s/"//g;
		$filename =~ s/\s/_/g;
		$filename =~ s/\.[^\.]*$//; # lose last extension

		$culprits{$filename} = 
                   &html_escape(&cowardify_address($address));
		$dates{$filename} = $date;
		# read on to start of base64
		while($line=<MBOX>) 
		{ 
			chomp $line;
			last if $line eq "";
		}
		&extractfile($filename);
		$sircam = 0; # reset for next time
	}
}

print "Writing index.php\n";
open HTML, ">index.php" or die "Could not open index.php for writing: $!";
print HTML &html_head;
print HTML "<table cellpadding=3 cellspacing=1 bgcolor=#888888><tr bgcolor=#DDDDDDD><td><b>Filename</b><td><b>From</b><td><b>Date</b></td></tr>";
foreach my $fn (keys %culprits)
{
	print HTML "<tr bgcolor=#EEEEEE><td><nobr><a href=\"$fn\">$fn</a></td><td><nobr>$culprits{$fn}</td><td><nobr><tt><font size=-2>$dates{$fn}</font></tt></td></tr>\n";
}
print HTML "</table>\n";
print HTML &html_tail;
close HTML;


sub extractfile
{
	my $fn = shift;
	my $tmp_fn = "/tmp/$fn.tmp.$$";
	my $ac_len = 0;        # accumlated length of decoded b64
	my $sc_len = 512*268;  # length of sircam virus 

	print "Writing $tmp_fn\n";
	open OUT, ">$tmp_fn" or die "Could not open $tmp_fn for writing: $!";

	while(<MBOX>)
	{
		last if $_ =~ /^\s*$/;
		print OUT decode_base64($_);
		
	}
	close OUT;

	print "Stripping virus and writing to $fn\n";
	system("dd bs=512 skip=268 if=$tmp_fn of=$fn && rm $tmp_fn");

}

sub html_escape
{
	my $in=shift;
	$in =~ s/</&lt;/g;
	$in =~ s/>/&gt;/g;
	return $in;
}

sub cowardify_address
{
	my $in=shift;
	#$in =~ s/@[^>]*/@\.\.\./;
	return $in;
}

sub html_head
{
	return
"<html>
<head>

<title>
things sircam has sent me
</title>

<? include 'style.inc'; ?>
</head>

<body>
<p><b>Things SirCam has sent me</b>

<!--
<p>I am immune to the SirCam virus. Not only do I not use Windows, but I don't
tend to open attachments which could contain executable code or macros,
without having a good idea what they are first.
<p>
Nonetheless, my mailbox has begun to fill up with messages from complete
strangers, as a result of their falling foul of SirCam. I've mailed them
asking them to sort it out. None of them have replied, either to apologise,
ask for further assistance, nothing.
<p>
... so I don't feel bad about putting their (possibly private) attachments
up on this web page. In a fit of generosity, I trimmed the culprits' 
email addresses down for publication here.
<p>
These files have been stripped of the SirCam virus
(using \"dd bs=512 skip=268\" on Linux) but I can't guarantee they're free 
of any other virus. Remember whos machines they came from originally!
I don't have the programs necessary to view many of these documents, although
I can look at the text content with \"strings\" for a vague idea.
<p>
There were quite a few more, but I deleted them, before having the bright 
idea of publishing them here. Shame, one of them was called \"RealGirlShag.zip\".
Maybe I'll get it again; I seem to get several a day.
<p>
Have fun.
-->
<p>[ <a href=../>other stuff</a> ]

<p>I found out about this script on <a href=http://www.ntk.net/>ntk</a> and downloaded it from <a href=http://www.hartnup.net/pubcam/pubcam>http://www.hartnup.net/pubcam/pubcam</a>. this guy has his own page up that's been produced by this script: <a href=http://www.hartnup.net/sircam/>http://www.hartnup.net/sircam/</a>.

<p>there's a few small changes made to the script, mostly affecting the output. also, the script originally removed the last part of each email address to save the sender's privacy, but I commented that bit out; I've never heard of any of the people that sent me an email with a sircam virus attached, so how on earth did I get in to their address book unless I was on one of their spam lists?

<p>the modified copy of the script can be found here: <a href=pubcam.pl>pubcam.pl</a>

<p>to \"lisaS\" (real name \"laura selby\", I think): I hope she got it all sorted with lee.

<hr noshade>
";
}

sub html_tail
{
return "
<hr>
If you have the SirCam virus, do yourself a favour:
<ol>
<li>Configure your mail reader so it doesn't hide double extensions. SirCam 
   sends things called (e.g.)\"my secrets.doc.exe\". Your mail reader might hide
   the \".exe\" so you think it's just \"my secrets.doc\", and open it.
<li>Think carefully before opening attachments anyway
<li>Get an antivirus program, and run it. And keep running it regularly.
</ol>
<!--
<hr>
You can produce a page like this one with the minimum effort, if you
keep your mail in a UNIX style mbox file, using <a href=\"../pubcam/pubcam\">
PubCam</a>, a Perl script which extracts any SirCam-attached files, strips
off the virus, and produces an index.php file like this one.
-->

</body>
</html>";
}