#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>

#include "base64.c"

#define BUFSIZE 32768
#define STRSIZE 128
char buf[BUFSIZE+2+STRSIZE];
char buf2[BUFSIZE+2+STRSIZE];

char subject[STRSIZE+2];
char from[STRSIZE+2];
char to[STRSIZE+2];
char ctype[STRSIZE+2];

//#define DEFAULTHEADER "X-Shad-WormBounceID"

char resultheader[STRSIZE+2]="X-Shad-WormBounceID";
char nospamheader[STRSIZE+2]="X-Shad-Nospam";

/* this function found somewhere on the Net, don't ask me where */
char *strcasestr(char *hailstack, char *needle)
{
   register int lneed = strlen(needle);
   register int lhail = strlen(hailstack);
   register int i;

   for (i = 0; i < lhail; i++) 
      if (!strncasecmp(hailstack + i, needle, lneed))
         return hailstack + i;

   return NULL;
}

void strzero(char*s){bzero(s,STRSIZE+2);}
void transtab(){int t;for(t=0;t<BUFSIZE;t++)if(buf[t]=='\t')buf[t]=' ';}

void strtranshex(char*s)
{ char sc[]="0123456789abcdef";
  while(s[0]){if(strchr(sc,s[0]))s[0]='.';s++;}
}


int getheader(char*target,char*name)
{ char s[STRSIZE+2];
  char*sp;
  strzero(target);
  sprintf(s,"\n%s: ",name);
  sp=strcasestr(buf,s);if(!sp)return 0;sp++;
  sp=strchr(sp,' ');if(!sp)return 0;while(sp[0]==' ')sp++;
  strncpy(target,sp,STRSIZE);
  sp=strchr(target,'\n');if(sp)if(sp[1]==' ')sp[0]=' ';
  sp=strchr(target,'\n');if(sp)sp[0]=0;
  return 1;
}

char*isinbody(char*s)
{ return strstr(buf,s);}

char*isinbodyi(char*s)
{ return strcasestr(buf,s);}

int strcmpp(char*s,char*s1)
{ return !strncmp(s,s1,strlen(s1));}

int strcmppi(char*s,char*s1)
{ return !strncasecmp(s,s1,strlen(s1));}

int isFromPostmaster()
{ if(!strncmp(from,"postmaster",10))return 1;
  if(strcmppi(from,"postmaster@"))return 1;
  if(strcasestr(from,"<postmaster@"))return 1;
  if(strcasestr(from,"not-reply@"))return 1;
  return 0;
}

int isFromMD()
{ if(!strcasecmp(from,"mailer-daemon"))return 1;
  if(strcmppi(from,"mailer-daemon@"))return 1;
  if(strcasestr(from,"<mailer-daemon@"))return 1;
  return 0;
}

int isDeliveryStatus()
{ //if(strcasestr(ctype,"report-type=delivery-status"))return 1;
  if(strcasestr(ctype,"multipart/report"))return 1;
  return 0;
}

/* ======== Identify known content ========= */
char*isMyDoom();


void base64filtercopy(char*si,char*so,int maxlen)
{ while(si[0])
  {if(strchr(b64alpha,si[0]))
   {so[0]=si[0];so++;maxlen--;if(maxlen<=1)break;}
   si++;
  }
  so[0]=0;
}

char*isZipBasedWorm()
{ char*sp,*sp1;
//  char b64alpha[]
  char txtbuf[700];
  char binbuf[516];
  char fname[256];
  static char retmsg[256];
  char*binfile=NULL;
  char*signature=NULL;
  int t;
  int namelen;
  signature=isMyDoom();
  sp=isinbody("\n\nUEs");if(!sp)return signature;
  memset(binbuf,0,512);
  base64filtercopy(sp,txtbuf,670); // FIXME: Kludgy way to handle what the base64 library should do on its own
  decodenBase64(txtbuf,binbuf,512);
  namelen=(unsigned int)binbuf[0x1b]*256+(unsigned int)binbuf[0x1a];
  txtbuf[0]=0;if(signature)snprintf(txtbuf,250,", signature=%s",signature);else strcpy(txtbuf,"; signature=UNKNOWN");
  if(namelen>254){snprintf(retmsg,255,"ZIPfile-overly-long-file-name:%i%s",namelen,txtbuf);return retmsg;}
  if(namelen<2)return "ZIPfile-suspiciously-short-file-name";
  snprintf(fname,namelen+1,binbuf+0x1e);
  binfile=binbuf + 0x1e + namelen;
//  if(!strncmp(binfile,"MZ",2))return "ZIPfile-uncompressed-exefile";
//  if(strstr(fname,"   ."))return "ZIPfile-filename-masking-attempt";
  sp=strrchr(fname,'.');if(sp)
   {if(!strcmp(sp,".exe")){snprintf(retmsg,255,"ZIPfile-exefile-exe:%s%s",fname,txtbuf);return retmsg;}
    if(!strcmp(sp,".scr")){snprintf(retmsg,255,"ZIPfile-exefile-scr:%s%s",fname,txtbuf);return retmsg;}
    if(!strcmp(sp,".pif")){snprintf(retmsg,255,"ZIPfile-exefile-pif:%s%s",fname,txtbuf);return retmsg;}
   }
  if(sp=strstr(fname,"   .")){sp1=strstr(fname,"   ");if(sp1)sp1[1]=0;
                              snprintf(retmsg,255,"ZIPfile-filename-masking-attempt:%s[...]%s%s",fname,sp+2,txtbuf);return retmsg;}
  if(!strncmp(binfile,"MZ",2)){snprintf(retmsg,255,"ZIPfile-uncompressed-exefile:%s%s",fname,txtbuf);return retmsg;}
  return signature;
/*
// DEBUG
  printf("Magic: %02x%02x%02x%02x\n",binbuf[0],binbuf[1],binbuf[2],binbuf[3]);
  printf("MadeBy: %02x\n",binbuf[4]);
  printf("Host OS: %02x\n",binbuf[5]);
  printf("Minver: %02x\n",binbuf[6]);
  printf("Tgt OS: %02x\n",binbuf[7]);
  printf("NameLen: %i %02x-%02x\n",namelen,binbuf[0x1a],binbuf[0x1b]);
  printf("Name: %s\n",fname);
  printf("File: %s\n",binfile);
  for(t=0;t<512;t++){printf("%c",binbuf[t]);}
  printf("\n");
  exit(0);*/
}





char*isMyDoom()
{ char*sp,*sp1,*sp2;
/*
UEsDBAoAAAAAA.....DKJx+eAFgAAABYAA
*/


//                 UEsDBBQAAAAIANSBCTE3Aq1SCQIAAD4EAAAKAAAAcHJpY2UuaHRtbI1U34+aQBB+v+T+hzke
  sp=isinbody("\n\nUEsDBAoAA");if(!sp)
   {sp=isinbody("\n\nUEsDBBQAA");if(!sp)return 0;}
  sp+=2;
  {sp1=strchr(sp+3,'\n');if(sp1)if(sp1-sp<20)return "suspiciously-short-first-MIME-line";}
//  if(!strncmp(sp+18,"",16))return "someotherworm";
//  if(!strncmp(sp+18,"",16))return "someotherworm";
//  if(!strncmp(sp+18,"",16))return "someotherworm";
//  if(!strncmp(sp+18,"",16))return "someotherworm";
//  if(!strncmp(sp+18,"",16))return "someotherworm";
//  if(!strncmp(sp+18,"",16))return "someotherworm";
//  if(!strncmp(sp+18,"",16))return "someotherworm";
//  if(!strncmp(sp+18,"",16))return "someotherworm";
//if(!strncmp(sp+18,"cADhaG0AAGhtAABw",16))return "someotherworm-auto-040331-0235";
//                   UEsDBAoAAAAAAA8Afz B+cADhaG0AAGhtAA BwAAAAZGF0YS5lbWwgICAgICAgICAgICAgICAg
//                   UEsDBAoAAAAAAONGdz CjiB3egHMAAIBzAA BTAAAAZG9jdW1lbnQudHh0ICAgICAgICAgICAg
//                   UEsDBAoAAQAAAABWZD CIBRn3pVUAAJlVAA AJAAAAaXJkc3AuZXhlxNha4wnhlpMp4atcyjOw
//                   UEsDBAoAAQAAAMCiYj Cf4kJRDDAAAAAwAA ALAAAAd2VvYnFtaS5leGVIPkHL8LzqeKqX5MeE
//                   UEsDBAoAAQAAAKANYj AEzD82yFIAALxSAA AMAAAAcXhreXNibHQuc2NyVpqaD2qe7C5n+Fdc
//                   UEsDBAoAAQAAAAB1Yj AqGFhwj1UAAINVAA AKAAAAcWRoc2NlLnNjcmb+UbdN3DI9/xY+2KH2
//                   UEsDBAoAAQAAACBfYj DuLGTOw1EAALdRAA AJAAAAb21nY2guZXhl0ZUFPnqYANPZq8K+eQ7m
//                   UEsDBAoAAAAAAKBVYT Ad5PsPtUMAALVDAA AMAAAAZG9keXJlaWguZXhlTVqQAAMAAAAEAAAA
//                   UEsDBAoAAAAAAIBOYT AaxVJJAD4AAAA+AA AMAAAAcWh2bnN3dG4uZXhlTVqQAAMAAAAEAAAA
//                   UEsDBAoAAAAAAABPYT Au8/9kfEcAAHxHAA AMAAAAdmppd2pzZ3guZXhlTVqQAAMAAAAEAAAA
//                   UEsDBAoAAAAAAMBWXD BKH8ydAD4AAAA+AA AMAAAAbWN4eWFscXAuZXhlTVqQAAMAAAAEAAAA
//                   UEsDBAoAAAAAAG9XWz Be0x3W7YcAAO2HAA B6AAAAcGF5cGFsLnBuZyAgICAgICAgICAgICAgICAg
//                   UEsDBAoAAAAAAKghWz CudsW6AF4AAABeAA ARAAAAbW9vbmxpZ2h0LnR4dC5leGVNWpAAAwAA
//                   UEsDBAoAAAAAAOM7Wj BiZMYWCWMAAAljAA ANAAAAeW91cnMudHh0LmNvbU1akAADAAAABAAA
//                   UEsDBAoAAAAAAAUDWj CA/rWy04sAANOLAA CfAAAAbGlzdC50eHQgICAgICAgICAgICAgICAgICAg
//                   UEsDBAoAAAAAAHh/WD DhHKqS7YcAAO2HAA BwAAAAb2JqZWN0LnR4dCAgICAgICAgICAgICAgICAg
//                   UEsDBAoAAAAAAJh6+C 7KJx+eAFgAAABYAA BWAAAAZG9jdW1lbnQudHh0ICAgICAgICAgICAgICAg
//                   UEsDBAoAAAAAAJd2Uj BdbrAiAFYAAABWAA AKAAAAZGlubmVyLmV4ZU1akAADAAAABAAAAP//
//  if(isinbody("\n\nUEsDBAoAAAAAABN7SD ACQHPJRl8AAEZfAA AHAAAAZG9jLmJhdE1akAADAAAABAAAAP//AAC4AAAA
//  if(isinbody("\n\nUEsDBAoAAAAAABo6Qj AE2y2pAVgAAAFYAA BVAAAAbWVzc2FnZS5kb2MgICAgICAgICAgICAgICAg
//  if(isinbody("\n\nUEsDBAoAAAAAANqFPT DnPgKfcHgAAHB4AA BRAAAAZG9jLmh0bSAgICAgICAgICAgICAgICAgICAg"))return "MyDoom.B";
//  if(isinbody("\n\nUEsDBAoAAAAAADcQQT DKJx+eAFgAAABYAA BSAAAAYm9keS5odG0gICAgICAgICAgICAgICAgICAg"))return "MyDoom.B";
//  if(isinbody("\n\nUEsDBAoAAAAAANAKQT DIfsFoAGQAAABkAA AKAAAAcmVhZG1lLnBpZk1akAADAAAABAAAAP//AAC4"))return "MyDoom.B";
//                   UEsDBAoAAAAIAMBRRD QjK0N+9U0AANpKAA ALAAAAemhuaHBvdC5leGUALgDR/01aAAABAAAA

  sp2=isinbody("filename=\"");if(sp2)
  {int w=0;
    sp1=strchr(sp2,'\n');if(sp1){
    sp1[0]=0;
    if(strchr(sp2,'@'))if(strstr(sp2,".zip\""))w=1;
    sp1[0]='\n';
    if(w)return "MyDoom.M";
  }}
#include "signatures-auto.c"
  return 0;  
}

int isExe()
{
  if(isinbody("\n\nTVoAAAEAA"))return 1;
  if(isinbody("\n\nTVoAAAAAA"))return 1;
  if(isinbody("\n\nTVoAAAQAA"))return 1;
  if(isinbody("\n\nTVoAACQAA"))return 1;
  if(isinbody("\n\nTVoAAD8AA"))return 1;
  if(isinbody("\n\nTVoFAQUAA"))return 1;
  if(isinbody("\n\nTVoIARMAA"))return 1;
  if(isinbody("\n\nTVouARsAA"))return 1;
  if(isinbody("\n\nTVpAALQAc"))return 1;
  if(isinbody("\n\nTVpQAAIAA"))return 1;
  if(isinbody("\n\nTVpyAXkAX"))return 1;
  if(isinbody("\n\nTVqQAAMAA"))return 1;
  if(isinbody("\n\nTVqTAAEAA"))return 1;
  if(isinbody("\n\nTVrmAU4AA"))return 1;
  if(isinbody("\n\nTVrhARwAk"))return 1;
  if(isinbody("\n\nTVqQAAMAA"))return 1;
  if(isinbody("\n\nTVqQAAMAA"))return 1;


  if(isinbody("\n\n183GmgAA"))return 1; // Windows Metafile file
                 //TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                 //TVoAACQAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                 //TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA
  return 0;
}


char*isWorm()
{ char*sp;
  sp=isZipBasedWorm();if(sp)return sp;
  if(strcmpp(from,"james@mauriceward.c"))return "james@-worm";
  if(strcmpp(from,"admin@mauriceward.c"))return "admin@-worm";
  if(strcmpp(from,"big@boss.com"))return "big@boss.com-worm";
  if(isinbody("<EMBED SRC=\"cid:"))return "genericEMBED:CID";
  if(isinbodyi("password"))if(isinbodyi("<img"))
    if(isinbodyi("src=\"cid:")||isinbodyi("src=cid:"))
      if(isinbodyi("Content-Type: image/"))
        if(isinbodyi(".zip\"\n\nUEsDBAoA")||isinbodyi(".zip\n\nUEsDBAoA"))return "Bagle-generic-psw-img-zip";
  if(isinbody("<br>Archive  password:  <img  src=\"cid:"))return "Bagle-psw-in-image1";
  if(isinbody("Password is <img src=\"cid:"))return "Bagle-psw-in-image2";
  if(isinbody("<OBJECT "))if(isinbody("STYLE=\"display:none\""))if(isinbody(" DATA=\"http://"))if(isinbody(":81/"))return "genericOBJECT:nodisplay";
  if(isinbody("\n\nZGltIGZpbGVzeXMsIGZpbGV0eHQsIGdldG5hbWUsIHBhdGgsIHRleHRmaWxlLCBpDQp0ZXh0"))return "Bagle.AB-vbs";
  if(isinbody("\n\nPEhUTUw+DQo8SEVBRD4NCjxUSVRMRT5XaW5kb3dzIFVwZGF0ZTwvVElUTEU+DQo8SFRBOkFQ"))return "Bagle.ab-hta(?)";
  if(isinbody("\n\nThe message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.\n\n"))
    if(isinbody(".zip\"")) return "SomeZipWorm?";
  if(isinbody("Dear user of mauriceward.com,"))
    if(isinbody("Your account has been used to send a huge amount of spam messages during the recent week."))
     if(isinbody("Please follow the instruction in the attachment in order to keep your computer safe."))
      if(isinbody("The mauriceward.com support team."))return "BagleWorm?";
  if(isinbody("\n\nUmFyIRoHAM+QcwAADQAAAAAAAABj43Q"/*ggCcAFEoAAACUAAACHrfSYOcgjzIdMwcAIAAAADEy*/))return "Some-RAR-worm";
//  if(sp=isMyDoom())return sp;
  if(isinbody("\n\n183GmgAA"))return "genericWindowsMetaFile"; // Windows Metafile file
  if(isExe())return "genericExecutableFile";
  if(strcmpp(subject,"1"))if(isinbody("Content-Type: application/octet-stream; name=\"1.txt\""))return "1-worm";
  
  return NULL;
}

char*isWormBounce()
{ char*sp;
  if(strcmpp(subject,"Volk wird nur zum zahlen gebraucht!"))return "Sober.Q spam1";
  if(strcmpp(subject,"The Whore Lived Like a German"))return "Sober.Q spam2";
  if(strcmpp(subject,"Blutige Selbstjustiz"))return "Sober.Q spam3";
  if(strcmpp(subject,"Auf Streife durch den Berliner Wedding"))return "Sober.Q spam4";
  if(strcmpp(subject,"Volk wird nur zum zahlen gebraucht!"))return "Sober.Q spam5";
  if(strcmpp(subject,"S.O.S. Kiez! Polizei schlaegt Alarm"))return "Sober.Q spam6";
  if(strcmpp(subject,"Verbrechen der deutschen Frau"))return "Sober.Q spam7";
  if(strcmpp(subject,"Dresden Bombing Is To Be Regretted Enormously"))return "Sober.Q spam8";
  if(strcmpp(subject,"Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer"))return "Sober.Q spam9";
  if(strcmpp(subject,"Armenian Genocide Plagues Ankara 90 Years On"))return "Sober.Q spam10";
  if(strcmpp(subject,"Paranoider Deutschenmoerder kommt in Psychiatrie"))return "Sober.Q spam11";
  if(strcmpp(subject,"Vorbildliche Aktion"))return "Sober.Q spam12";
  if(strcmpp(subject,"Abwesenheitsnotiz: Paranoider Deutschenmoerder kommt in Psychiatr"))return "Sober.Q spam13";
  if(strcmpp(subject,"Schily ueber Deutschland"))return "Sober.Q spam14";
  if(strcmpp(subject,"4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass"))return "Sober.Q spam15";
  if(strcmpp(subject,"Tuerkei in die EU"))return "Sober.Q spam16";
  if(strcmpp(subject,"Trotz Stellenabbau"))return "Sober.Q spam17";
  if(strcmpp(subject,"Transparenz ist das Mindeste"))return "Sober.Q spam18";
  if(strcmpp(subject,"Du wirst ausspioniert ....!"))return "Sober.Q spam19";
  if(strcmpp(subject,"Multi-Kulturell = Multi-Kriminell"))return "Sober.Q spam20";
  if(strcmpp(subject,"Auslaenderpolitik"))return "Sober.Q spam21";
  if(strcmpp(subject,"Hier sind wir Lehrer die einzigen Auslaender"))return "Sober.Q spam22";
  if(strcmpp(subject,"Gegen das Vergessen"))return "Sober.Q spam23";
  if(strcmpp(subject,"Deutsche werden kuenftig beim Arzt abgezockt"))return "Sober.Q spam24";
  if(strcmpp(subject,"Deutsche Buerger trauen sich nicht ..."))return "Sober.Q spam25";
  if(strcmpp(subject,"<html><body>\nFebruary price"))return "price.worm1";
  if(strcmpp(subject,"<html><body>\nFebruary  price"))return "price.worm2";
//  if(strcmpp(subject,""))return "Sober.Q [Bspam26";
//  if(strcmpp(subject,""))return "Sober.Q spam27";
//  if(strcmpp(subject,""))return "Sober.Q spam28";
//  if(strcmpp(subject,""))return "Sober.Q spam29";
//  if(strcmpp(subject,""))return "Sober.Q spam30";
  //
  if(strcmpp(subject,"MDaemon Warning - Virus Found"))if(isinbody("\nX-MDaemon-Deliver-To:"))return "MDaemon";
  if(isinbody("This message has been scanned by MDaemon AntiVirus and was found to"))if(isinbody("\nX-MDaemon-Deliver-To:"))return "MDaemon";
  if(strcmpp(subject,"VIRUS IN YOUR MAIL"))if(isinbody("\nX-Virus-Scanned:"))return "AMaViS";
  if(strcmpp(subject,"VIRUS ALERT:"))if(isinbody("\nX-Mailer: OdeiaVir"))return "VirusWall";
  if(strcmpp(from,"\"MailScanner\" <postmaster@"))return "MailScanner";
  if(strcmpp(subject,"InterScan NT Alert"))if(isinbody("\nFrom: viruswall"))return "VirusWall";
  if(strcmpp(subject,"InterScan NT Alert"))if(isinbody("\nVirus:"))if(isinbody("\nAction:"))return "InterScan";
  if(strcmpp(subject,"Virus Alert - ScanMail for Lotus Notes --"))if(isinbody("\nVirus:"))return "ScanMail";
  if(strcmpp(subject,"Virus Alert"))if(isinbody("\nVirus:"))return "ScanMail";
  if(strcmpp(subject,"The picture is sent on SMS"))return "Picture-sent-on-SMS worm";
  if(strcmpp(subject,"Virus Detected by Network Associates, Inc. Webshield"))if(isinbody("\nX-Mailer: Network Associates, Inc. Webshield SMTP"))return "WebShield";
  if(strcmpp(subject,"Returned due to virus;"))if(isinbody("\nX-NAI-WebShielde500-mimepp: Attachment removed"))return "WebShielde500";
  if(strcmpp(subject,"## Virus Check Alert ##"))if(strcmpp(from,"JENSVirusCheckService@"))return "JENSVirusCheckService";
  if(strcmpp(subject,""))if(isinbody("MailMarshal Rule: Outbound : Block EXECUTABLE Files"))return "ScanMail";
  if(strcmpp(from,"md.info_virus@"))return "md.info_virus";
  if(strcmpp(from,"virus_msg@"))return "virus_msg";
  if(strcmpp(from,"GateLockX200_CN@trendmicro.com"))return "GateLockX200_CN@trendmicro.com";
  if(strcmpp(from,"\"RAV AntiVirus\" "))if(isinbody("\nX-Mailer: ravmd/"))if(isinbody(" is infected with virus: "))return "RAVantivirus";
  if(strcmpp(from,"Symantec_AntiVirus_for_SMTP_Gateways@"))if(isinbody("\nA virus was found in a message sent by this"))return "SymantecAntivirusForSMTPgateways";
  if(strcmpp(from,"Symantec_AntiVirus_for_SMTP_Gateways@"))if(strcmpp(subject,"Returned mail"))return "SymantecAntivirusForSMTPgateways";
  if(strcmpp(from,"Symantec_AntiVirus_for_SMTP_Gateways@"))if(strcmpp(subject,"Content violation"))return "SymantecAntivirusForSMTPgateways";
  if(strcmpp(from,"SmartFilter"))if(strcmpp(subject,"[Virus Mail]"))return "SmartFilter";
  if(strcmpp(from,"Viruswall@"))if(isinbody(" contains a virus."))return "SmartFilter";
  //if(strcmpp(from,"mailmarshal@"))if(isinbody("Our system has found a possible risk in your e-mail."))return "mailmarshal";
  if(strcmpp(from,"VaMailArmor@"))if(isinbody("Vexira Antivirus has detected the following potentially malicious"))return "VexiraAntivirus";
  if(strcasestr(from,"MXtreme Mail Firewall"))if(isinbody("was stopped and Quarantined because it contains one or more viruses."))return "MXtreme";
  if(isinbody("---- Trend Gatelock "))if(isinbody("I have attached your file."))if(isinbody("Your password is"))return "Gatelock-vs-Netsky";
  if(isFromPostmaster())
     {if(isinbody("InterScan has detected"))return "InterScan";
      if(isinbody("The file you have sent was infected with a virus but InterScan E-Mail VirusWall"))return "InterScan";
      if(isinbody("You sent a message that contained potentially\nharmful content."))return "genericWormBounce";
      if(isinbody("A file attached to this email was removed\nbecause it was infected with a virus."))return "genericWormBounce";
      if(isinbody("Our viruschecker found a VIRUS in your email to "))return "AMaVis";
      if(isinbody("Hi. This is the smtp delivery program."))if(isinbody("\nThe message has been infected virus."))return "magicwinmail";
      if(isinbody("ALERT!!\nThis e-mail contained one or more virus-infected files and have been rejected."))return "genericWormBounce";
      if(isinbody("\nYour message contained a virus. Please do not send us any further messages until your system is clean."))return "genericWormBounce";
      if(isinbody("filename=\"InterScan_SafeStamp.txt\""))return "InterScan";
//      if(isinbody(""))return "genericWormBounce";
     }
  if(isFromMD())
     {if(isinbody("was stopped and Quarantined because it contains one or more viruses."))if(isinbody("\nAttachment:"))return "genericWormBounce";
      if(isinbody("We detected virus in your mail, so we delete your message."))return "genericWormBounce";
      }
  if(strcmppi(subject,"VIRUS ALERT:"))return "genericWormBounce";
  if(isDeliveryStatus())
     {if(isinbody("\nVirus Name:"))return "genericWormBounce";
      if(isinbody("is removed from here because it contains a virus.\n"))return "genericWormBounce";
      if(strcmpp(subject,"BANNED FILENAME ("))return "genericWormBounce.filename";
      if(isinbody("\nVirus:"))return "genericWormBounce";
      if(isinbody("a potentially executable attachment "))return "sf.net";
      if(isinbody("message contains file attachments that are not permitted"))return "Guinevere";
      if(isinbody("TRANSACTION FAILED - Unrepairable Virus Detected."))return "wormBounce.AOL";
      if(isinbody("bevatte bijlage besmet welke besmet was met een virus"))return "wormBounce.dutch";
      if(isinbody("Marshal Rule: Inbound Messages : Block Dangerous Attachments"))return "Mail Marshal";
      if(isinbody("MAILsweeper has found that a "))if(isinbody(" one or more virus"))return "MailSweep";
      if(strcmpp(subject,"NAV detected a virus in a document "))return "NortonAV";
//      if(isinbody(""))return "genericWormBounce";
//      if(isinbody(""))return "genericWormBounce";
     }

//  if(sp=isinbody("Content-Type: text/html; charset=\"ISO-8859-1\"\nContent-Transfer-Encoding: quoted-printable\n\n"
//              "<img src=3Dcid:c3462cb3e71a99a8a7a6fc09508ac2ef>\n\n
//               --=_de403dd1f6ebf8d405aa509eed73067b\nContent-Type: image/gif
  if(sp=isinbody("Content-Type: text/html; charset=\"ISO-8859-1\"\n"
                 "Content-Transfer-Encoding: quoted-printable\n\n"
                 "<img src=3Dcid:"))
	      {char s[256];
	       char s1[]=".D.i.:................................>\n\n--=_................................\nCont.nt-Typ.: im.g./gi.\nCont.nt-Tr";
	       sp=strstr(sp,"3Dcid:");if(sp){strncpy(s,sp,250);s[250]=0;
	       strtranshex(s);
	       if(!strncmp(s,s1,strlen(s1)))return "spam:ImageOnly-HexSeparators";
     }}

  if(isinbodyi("password"))
    {char*sp,*sp1,*sp2;
     sp=strstr(buf,"assword");if(sp){
      sp1=strchr(sp,'\n');if(sp1){
       sp2=strstr(sp," src=\"cid:");if(sp2){
        if(sp2<sp1) return "worm:ImgPasswordedZip001";
    }}}}
  if(isinbodyi("<br>Zip password: <img src=\"cid:"))return "worm:ImgPasswordedZip1";
  if(isinbodyi("<br>Zip  password: <img src=\"cid:"))return "worm:ImgPasswordedZip1a";
  if(isinbodyi("<br>Password - <img src=\"cid:"))return "worm:ImgPasswordedZip2";
  if(isinbodyi("<br>Password -- <img src=\"cid:"))return "worm:ImgPasswordedZip3";
  if(isinbodyi(" Dark Dynamite"))return "spam:DarkDynamite";
  if(isinbody("http://v-girls.net"))return "spam:v-girls.net";
  if(isinbody("http://www.get4fast.com/"))return "spam:www.get4fast.com";
//  if(isinbody("\n\nYmVnaW4gNjY0IEF0dGFjaG1lbn"))return "worm:base64encodedunknown";
  if(isinbody("\n\nYmVnaW4gN"))return "worm:base64encodedunknown";
  if(isinbody("http://www.foraseco.com"))return "spam:www.foraseco.com";
  if(isinbody("http://www.unpraiselk.com"))return "spam:www.unpraiselk.com";
  if(isinbody("http://boardemore.com"))return "spam:boardemore.com";
  if(isinbody("http://www.olympiadhn.com"))return "spam:www.olympiadhn.com";
  if(isinbody("http://www.dryishmm.com"))return "spam:www.dryishmm.com";
  if(isinbody("http://www.lutetiaaj.com"))return "spam:www.lutetiaaj.com";
  return NULL;
}

char*chkNospam()
{
  if(isinbodyi("mawb"))return "MAWB";
  if(isinbodyi("hawb"))return "HAWB";
  if(isinbodyi("prealert"))return "prealert";
  return NULL;
}

void outputheader(char*buf,char*addheader,char*nspheader)
{ 
  char*sp;
//  if((!addheader)||(addheader[0]==0)){printf("%s",buf);return;}
  sp=strstr(buf,"\n\n");if(sp){sp[0]=0;sp++;}
  printf("%s",buf);
  if(sp)
  { if(addheader)if(addheader[0])printf("\n%s: %s",resultheader,addheader);
    if(nspheader)if(nspheader[0])printf("\n%s: %s",nospamheader,nspheader);
    printf("\n%s",sp);
  }  
}

void fpassthru(FILE*f)
{ while(!feof(f))
  {int n;
   n=fread(buf,1,BUFSIZE,f);if(n<0)break;
   fwrite(buf,1,n,stdout);
  }
}

void help()
{ printf(
"WormBounceID v0.1\n"
"Purpose: Identifies harmful code or annoying worm bounces in mails.\n"
"Usage: takes a mail message on stdin, adds header if match found (when piped) or outputs the match to stdout.\n"
"Parameters:\n"
"  -p    passthru mode - pipes message to stdout, adds header (default)\n"
"  -c    classify mode (default) - outputs classification to stdout\n"
"  -r    set result code to 1 if match found\n"
"  -l    log match to syslog\n"
"  -H <header>    sets header to add if match\n"
);
}

int main(int argc,char*argv[])
{ FILE*f;
  char*sp;
  char result[STRSIZE+2]="";
  char nospam[STRSIZE+2]="";
  int readsize=0;
  int o_passthru=1; // act as filter, pipe the message through - default
  int o_classify=0; // classify the message, output only
  int o_resultcode=0; // use return code 1 to indicate worm
  int o_syslog=0; // log match to syslog
  f=stdin;
  //
  {int t;
   char s[256];
   for(t=1;t<argc;t++){
    if(argv[t][0]!='-'){fprintf(stderr,"Error: unrecognized option %s\n",argv[t]);return 1;}
    switch(argv[t][1]){
     case 'p': o_passthru=1;break;
     case 'c': o_classify=1;break; // redundant now
     case 'r': o_resultcode=1;break;
     case 'l': o_syslog=1;break;
     case 'h': help();return 0;break;
     case 'H': strzero(resultheader);snprintf(resultheader,STRSIZE,"%s",argv[t+1]);t++;break;
     default: fprintf(stderr,"Unrecognized option: %s\n",argv[t]);help();return 1;
    }
  }}
  if(o_classify)o_passthru=0; // mutually exclusive
//  fprintf(stderr,"%i%i%i%s\n",o_passthru,o_classify,o_resultcode,resultheader);
  //
  result[0]=0;
  bzero(buf,BUFSIZE+2);
  readsize=fread(buf,1,BUFSIZE,f);if(readsize<0)return 111;
  if(o_passthru)memcpy(buf2,buf,BUFSIZE);
  transtab();
  getheader(subject,"Subject");
  getheader(from,"From");
  getheader(to,"To");
  getheader(ctype,"Content-Type");
//  printf("s:%s\nf:%s\nt:%s\nc:%s\n",subject,from,to,ctype);
  if(sp=isWorm()){snprintf(result,STRSIZE,"+worm:%s",sp);}else
  if(sp=isWormBounce()){snprintf(result,STRSIZE,"+bounce:%s",sp);}else
  if(sp=chkNospam()){snprintf(nospam,STRSIZE,"-nospam:%s",sp);}
/*
  if(result[0])
   {if(o_passthru){outputheader(buf2,result);fpassthru(f);}
             else if(o_classify){printf("%s\n",result);return o_resultcode;}
    if(o_syslog)syslog(LOG_WARNING,"%s",result);
    fprintf(stderr,"WormBounceID:%s\n",result);
   }
  else if(o_passthru){outputheader(buf2,NULL);fpassthru(f);}
*/
  if(result[0])
   {if(o_syslog)syslog(LOG_WARNING,"%s",result);
    if(o_classify){printf("%s\n",result);return o_resultcode;}
    fprintf(stderr,"WormBounceID:%s\n",result);
   }
  if(nospam[0])
   {if(o_syslog)syslog(LOG_WARNING,"NOSPAM:%s",nospam);
    fprintf(stderr,"NoSpamKWD:%s\n",nospam);
   }
  //
  if(o_passthru){outputheader(buf2,result,nospam);fpassthru(f);}
  return 0;
}