phPOP3clean is a spam, virus, and worm filtering system for POP3 email accounts.

phPOP3clean is a PHP-based POP3 email scanner. phPOP3clean is designed to be run as a cron job every minute or so, and to catch & delete several types of unwanted emails:

a) malformed emails - incomplete or malformed headers, which cause some POP3 servers to drop connection when the message is retrieved

b) email worms - attached executable files matched against database of known variant, including matching variable-length files or files with internal random bytes (such as the currently-popular Netsky & Beagle variants). Zipped attachments are unzipped and scanned. Password-protected zipped attachments are matched based on deceptive filenames (eg: "readme.txt .exe").

c) image-based spam - attached images are matched against database of known spam images to reject messages containing only an inline attached image (technique of bypassing many spam filters). Images with random bytes appended are also matched.

d) obfuscated word spam - scans message body for obfuscated words, such as "víàqrä" in place of "viagra"

e) blacklisted phrase spam - scans message body for phrases (such as "Securities Exchange Act of 1934" or "forward looking statements", both of which are in most stock-promoting spam). Regular expression matches can be used to match variations.

f) blacklisted source code - scans message source for phrases known to be part of exploits (eg: < script language="JScript.Encode" >)

g) blacklisted Received header - reject messages based on "Received" header contents

h) blacklisted IP spam - scans message contents for links to blacklisted IP ranges (eg: 221.11.133.66/25). Links can be in HTML or plain text, image/iframe src, etc.

i) whitelist - "From" and "Return-Path" headers are scanned to match whitelist to bypass all filtering.

All matching is done against MySQL tables, the contents of which are all user-configurable with included admin interface.

Supported message encodings are: 7-bit, 8-bit, quoted-printable, base64.

Installation:

Unzip to a password-protected directory on your server. For speed reasons it's advisable to run on the same server as the mailserver, but it works over POP3 so you can run poPOP3clean on any webserver and scan accounts on any other server(s). After you've configured phPOP3clean, schedule it to run as a cron job every few minutes (every minute is ideal, if your server can handle the load). The cron job may look something like this:

lynx -dump -auth=user:pass http://example.com/admin/phPOP3clean.php

where user:pass is the .htaccess username/password required to access that directory. phPOP3clean normally outputs nothing during its run, but if you want to see the status messages you can access

http://example.com/admin/phPOP3clean.php?show=1

in your browser and you can see what phPOP3clean is doing.

There are some values you must modify in phPOP3clean.config.php -- take a look at that file and it should be pretty self-explanatory.

To create the MySQL tables required by phPOP3clean, simply run phPOP3clean.install.php and the tables will be created if required. Any changes to the table structures required by future versions will be handled by this file, so run this again after upgrading to a newer version of phPOP3clean.

A "quarantine" folder PHPOP3CLEAN_QUARANTINE (default is /phpop3clean/ below installation directory) and within that a new directory is created each month where the deleted emails are stored (gzipped). This allows you to review deleted emails from the admin interface. You will need to manually clean up these directories as the months go by.

What's New in This Release:

· domains that resolve to too many varied IPs (too many IPs, or too many different AMasks) are auto-blacklisted
· IPs are logged per message so that if an IP is later found to be in the DNSBL, already-scanned messages can be deleted
· banned Code now also checked against multipart headers
· plaintext phrase matching can be performed with all-but some characters stripped to match things like "s't.oc~k_re*por?t"
· default SafeGetHostByNameL() changed to `host` for non-Windows systems, with a default timeout (PHPOP3CLEAN_DNS_TIMEOUT) of 2 seconds
· auto-ban DNSBL and too-many-varied-IPs domains in admin add
· allow "onlyid" values of ">x" and "