This is free anti-virus anti-spam application written in .Net. It takes EML e-mail file and detects virus or spam. It returns 1 in case of virus/spam, 0 if file is clean and -1 if error occurred. Well ok, this is too optimistic description. This tool parses EML mail file and attachments and by using heuristics and specification in .ini file it tries to detect virus and/or spam. In a way it is an email filter with rules written in C#.
History
I am using my own mail server application - hMailServer. After I configured it to use ClamWin anti-virus I was still occasionally receiving viruses in attachments from random senders and spam. I quickly noticed pattern in those mails and heuristics. I decided to hunt down those emails with few simple rules written in C# which are auto-executed against each mail upon receiving it. At the end I can proudly say that with this setup I receive one or none unwanted email per day and I am a heavy email user! I can further reduce this number by being more diligent in .ini file or by implementing new rules.
Rules for detecting unwanted e-mails
You can most easily understand rules used by looking into .ini file. Below is different explanation for the same thing.
- EMAIL SIZE: So far I never encountered virus or spam in big email. Reason for this is probably because creating, keeping and sending big emails require more resources. This application checks only mails smaller than whatever is specified in .ini file under setting maxSizeOfEmlFileThatWillBeProcessed. Other emails are marked as clean by default. Mail size is total sum of email body with images and all attachments.
- ATTACHMENT SIZE: I never encountered virus in big attachment probably for same reason as mentioned above. E-mail will be marked as clean if it contains attachment larger than what is specified under virusIsNeverLargerThanXKBytes.
- NUMBER OF ATTACHMENTS: I never encountered virus in mails that have more than a single attachment. Mails with multiple attachments this application marks as clean by default.
- ZIP CHECK: Virus is usually delivered as file inside zip archive which is attached to email. This application is able to extract zip attachment and do further checks on content.
- NUMBER OF FILES IN ZIP: I never encountered virus in zip attachment beside other files in same zip. If application finds grater number of files in zip than what is specified under virusNeverHasMoreThanXFilesPackedInZip setting mail is marked as clean.
- FILE TYPES IN ZIP: In all cases viruses inside zip were some kind of script. They had either .js or .jse extension. Presence of such file causes email to be marked as virus. In .ini file of this application suspicious extensions like those can be defined under virusFileNameExtensionsInZipCsv setting.
- SENDERS WHITE-LIST: If I work in software developers team where I could sometimes receive .js file in zip I would simply white-list those people. This can be done with setting trustedEMailsCsv in .ini file.
- PHRASES BLACK-LIST: Sometimes I was receiving repeated emails which were not caught by other rules. For them I find phrase that exist in all such mails (sender address, subject or something from email body) and I add it to black-listed phrases. Those phrases can be set under virusPhrasesCsv setting in .ini file.
There is one trick to blindly get rid of all mails that are consequence of intentional or unintentional of subscriptions. Just make filter that looks for word "Unsubscribe" in email body and define what to do with such emails. This is not done in this application.
Minimum system requirements
- Any windows operating system
- Mail server or mail client
- .Net Framework 4.0 (usually pre-installed with Windows 8 and later)
Whole app can be easily downgraded to use just .Net Framework 3.5.
How to install it?
- Extract files to desired folder
- Review/configure .ini file
- Link it to your e-mail server. If you don't have email server you would need to find a way for your email client to auto-export received email to EML file, call VirusScanner.exe and in case of exit code 1 mark email as virus/spam or delete it. VirusScanner.exe should be called for each email received with single argument which is full path to .EML file enclosed with double quotes. In a picture below I showed screen for integration with hMailServer.
Files and Folders
License
This product is free. It is under MIT license.
GitHub
You can download source code from my GitHub page. Feel free to contribute there by committing your improvements for this project.
Download
Other Projects
See my
other projects.
Comments