Virus massive attack

"D McAuliffe" <DaveMcA.TakeThisOut@mailinator.com> wrote in
news:bn0bsc$rkbs9$1@ID-37006.news.uni-berlin.de:

>
> I am interested in seeing examples of the "To" address, but don't
> expect you to change your filters. If anyone can post examples,
> thanks. And if there is anything looking like:
> MPG.19fda2a647cdc50e989922.TakeThisOut@news.claranews.com in addition, thanks.


That particular address or any email address formulated in a similar
manner?


--
Rick Simon rsimon.TakeThisOut@cris.com

Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
 >> Stay informed about: Virus massive attack 

This answer goes for both Conor and Anthony, who cared to answer to my
quest.

Thank you, fellows. I feel much relieved now. About bouncing the message
back, I don't think it is possible, because they use a fake, untraceable
return address. I do what Anthony says: I delete them at the server.

I agree that I can't understand how the ISP deals with this problem. I
supose that when one's inbox becomes full (over quota), they simply delete
any new incoming message, icluding friendlly ones.

Thanks anyway, and now, let's pray
haim

==========================================================


"Conor Turton" <conor_turton DeleteThis @hotmail.com> wrote in message
news:MPG.19fda2a647cdc50e989922@news.claranews.com...
> In article <bn02go$rgm52$1@ID-69604.news.uni-berlin.de>, loner DeleteThis @news.org
> says...
>
> > What I want to ask is if:
> >
> > Somebody has been hit like myself.
> > This is a global pandemia like the last attack of Sobig.
> > Somebody (this is scary) has kindnapped my email address.
> >
> > Can you people help me?
> >
> No, usually most people have been hit 2 to 3 times more than you have.
> Your address hasn't been kidnapped.
>
>
> --
> Conor
>
----------------------------------------------------------------------------
-------
Anthony Stokes wrote:

Yes, this has been a global problem since about 19th September.
I'm continuing to get hundreds of these messages e-mailed to me each day.

I am simply deleting (at the server before download to my PC) all e-mails
having attachments of between 143 and 159 Kb size.
That seems to slay the 'SWEN' virus very effectively, though obviously there
is a huge ongoing waste of resources if millions of these spoof e-mails are
reverberating around the world each day.
My isp just passes everything on without any filtering at all. I was really
surprised that the v21 mail server just kept on working despite the barrage.
I suppose that after each subscriber's uncollected e-mails exceed a set
number of Mb then anything more is just bounced back to the sender.

Ant
 >> Stay informed about: Virus massive attack 

On Mon, 20 Oct 2003 05:42:46 -0700, Bart Bailey <me RemoveThis @privacy.net>
wrote:

>>
>>You appear to have a bee in your bonnet over this one. I'm not sure
>>why.
>
>Nope, just a basic curiosity.
>Why would you take umbrage at my queries?
>

I'm not taking umbrage at all. I have no problem with your queries.


>>The answer you got last time was a quote from the same site as
>>the url you posted.
>
>I guess, since this program is recommended by several people as a
>screening tool in a newsgroup ostensibly oriented toward security,
>I'm curious when a company, likewise oriented, selects said application
>for scrutiny.
>

Yes. They (spybot) must have decided to include everything which keeps
a recent history irrespective of how innocuous it is or what it is
for.


>>
>>The tracking you are referring to is a recent (configuration) file
>>list in case you want easy access to load different sets of filters at
>>different times.
>>
>>It's not a big deal.
>>
>>
>>Jim.
>>
>Your explanation sounds innocuous enough,
>but then why is it listed at Spybot?
>There are filter list options in Mailwasher too,
>but it wasn't selected to be placed on a watch list.

It's a simple feature so that the configuration files appear on the
windows file menu. If Mailwasher Pro did that it would probably be on
spybot's hit list too.


Jim.
 >> Stay informed about: Virus massive attack 

On that special day, Haim Guivon, (loner@news.org) said...

> Somebody has been hit like myself.

Many, but not many enough to cause alarm in the open public, becuase

> This is a global pandemia like the last attack of Sobig.

this is a usenet endemia. Swen collects addresses from random usenet
groups and swamps them with double copies of itself, first a "cumulative
(insert current month) Microsoft patch" and the a fake bounce, which
makes use of the wrong mime header vulnerability (so better don't use an
Outlook (Express) of the generation 5.x before SP2).

I got them nearly in the beginning of the outbreak, by the hundreds, on
an analog modem line. And if you look at my signature, you can see the
only thing that will help against the mail flooding done by Swen. It
leaves all addresses alone that contain the strings "spam" or "delete".


Gabriele Neukam

Gabriele.Spamfighter.Neukam RemoveThis @t-online.de


--
Because of Swen, my address is changed.
Please contact Gabriele.Spamfighter.Neukam RemoveThis @t-online.de
Wegen Swen musste ich meine Adresse veraendern.
Bitte an Gabriele.Spamfighter.Neukam RemoveThis @t-online.de schreiben
 >> Stay informed about: Virus massive attack 

On Mon, 20 Oct 2003 09:49:49 -0700, Bart Bailey <me DeleteThis @privacy.net>
wrote:

>In Message-ID:<m318pvoj27n1boeolccrlsqcaq6au1f4pr DeleteThis @4ax.com> posted on
>Mon, 20 Oct 2003 17:13:11 +0100, James Egan wrote:
>
>>It's a simple feature so that the configuration files appear on the
>>windows file menu. If Mailwasher Pro did that it would probably be on
>>spybot's hit list too.
>
>So MMM creates a data directory apart from the program folder?
>(If I'm understanding you correctly)

It doesn't create a separate directory but I suppose you could create
one elsewhere if you wanted to and the config files would still appear
on the file menu.


Jim.
 >> Stay informed about: Virus massive attack 

"Anthony Stokes" <Anthony.Stokes.DeleteThis@nhsstaff.org.uk> wrote in message
news:3f93bc5d@news.greennet.net...

> I am simply deleting (at the server before download to my PC) all e-mails
> having attachments of between 143 and 159 Kb size.

Is there a way of doing this in OE6? The only size-related option is "Where
the message size is more than size."


> That seems to slay the 'SWEN' virus very effectively, though obviously
there
> is a huge ongoing waste of resources if millions of these spoof e-mails
are
> reverberating around the world each day.
> My isp just passes everything on without any filtering at all. I was
really
> surprised that the v21 mail server just kept on working despite the
barrage.
> I suppose that after each subscriber's uncollected e-mails exceed a set
> number of Mb then anything more is just bounced back to the sender.
>
> Ant.
>
>
 >> Stay informed about: Virus massive attack 

> I am simply deleting (at the server before download to my PC) all e-mails
> having attachments of between 143 and 159 Kb size.

Can you explaine it how?

Thank you!
 >> Stay informed about: Virus massive attack 

On Mon, 20 Oct 2003 06:03:24 -0400, D McAuliffe wrote in
<bn0bsc$rkbs9$1@ID-37006.news.uni-berlin.de>:

>Someone got infected with Swen and your email address was on their machine
>(or if "loner@.." is a correct address for you, then it could have come from
>a NewsGroup posting you've made) which the virus used as the From address
>for its propagating emails. Since Swen looks at addresses in NGs, in
>addition to looking in .dbx files amongst others, and those addresses may
>have been munged in such a way as to create a bounced mail if used, these
>are the bounces you are getting. You may be receiving two mail versions for
>each bad recipient, in which case the 30 emails are "To" 15 separate
>addresses.

The 'undeliverable message' bounces are guises of the virus itself, at
least those that I see. The message format is similar to Klez, I think
(or was it Yaha?), an <iframe pointing to an attached executable with a
bad Content-Type mimeheader

The return-path (smtp mail-from) appears to be correct on most swens,
that is, the address' domain matches the domain of the sending mail
server (most come through isp mail relays)

>I am interested in seeing examples of the "To" address, but don't expect you
>to change your filters. If anyone can post examples, thanks. And if there
>is anything looking like: MPG.19fda2a647cdc50e989922.RemoveThis@news.claranews.com in
>addition, thanks.

I've kept the results of the one day that I disabled the no-execs-here
filter, almost 600 swens. The string 'claranews' does not appear in this
collection.

Oh, if anyone replies by mail, use the reply-to, mainly because of swen
I have begun to automagically 'blacklist' any host that sends mail to
the from on my usenet posts. Mhh, looks like today was a busy day.
 >> Stay informed about: Virus massive attack 

"Bob Davis" <iclick.RemoveThis@coxZAPSPAM.net> wrote:

> "Anthony Stokes" <Anthony.Stokes.RemoveThis@nhsstaff.org.uk> wrote in message
> news:3f93bc5d@news.greennet.net...
>
> > I am simply deleting (at the server before download to my PC) all e-mails
> > having attachments of between 143 and 159 Kb size.
>
> Is there a way of doing this in OE6? The only size-related option is "Where
> the message size is more than size."

Sorry -- responding to Anthony Stokes' comments as I've not seen his post
on my news server yet...

Deleting those messages between 143KB and 159KB will miss all the Swenb.B
and Swen.C variants where the .EXE has a size of 52,224 but otherwise is
essentially identical to the original Swen.A...


--
Nick FitzGerald
 >> Stay informed about: Virus massive attack 

On that special day, Bart Bailey, (me@privacy.net) said...

> Don't you still get it as residue from
> before your munging?

I can't tell, as I didn't *add* but *change* my address. Whoever might
be trying to send me a letter, will get a "no such user" instead of
having his/her mail dropped into a bin, which will never be looked at.


Gabriele Neukam

Gabriele.Spamfighter.Neukam.RemoveThis@t-online.de


--
Because of Swen, my address is changed.
Please contact Gabriele.Spamfighter.Neukam.RemoveThis@t-online.de
Wegen Swen musste ich meine Adresse veraendern.
Bitte an Gabriele.Spamfighter.Neukam.RemoveThis@t-online.de schreiben
 >> Stay informed about: Virus massive attack