SWEN virus.

In comp.os.linux.setup Shashank Khanvilkar <shashank@mia.ece.uic.edu> wrote:
> > If you do, install anti-virus software.

> I already have spam-assasin, which is not doing a very good job..

It's doing a superb job here. I get several hundred spams a day (err,
806 since yesterday), and only one or two slip past SA.

> But that is not of concern, as i may have misconfigured it.

Only you know. But you'd have to CONFIGURE it to stop swen. Just kill
anything with MS|Microsoft E?mail in the From line. Or you can kill
on subject:

Subject.* (MS net|(bug|Failure|Error) (notice|letter|announcement|Report|Message))

or

Subject.* (Critical|Security|Network|Net|Internet|Latest|Cur rent) (Patch|Pack|Update|Upgrade)


> My real concern is how can one remedy this problem at the root.. Even if i

There is no root.

> install anti-virus software, my server is still receiving those bloody
> emails, wasting a lot of BW. Isn't there any current mechanism built into
> SMTP, which will automatically stop relaying messages from the culprit,

Uh - you can't stop his sender from sending!

> right at the first hop, and if not what can be done about it.

Complain to abuse@wherever. But spamassassin includes reportung
mechanisms. Use them! A simple | spamassassin -r on yoru spambox
will report all your spam back to razor, and then you benefit.

Not to mench that SA learns just fine if you feed it some examples.

> All Comments appreciated.

Read The Fine Manual, and give us a break.


Peter

On Mon, 10 Nov 2003 12:52:40 -0600, Shashank Khanvilkar wrote:

> Hi,
>
> I am receiving these annoying mails containing swen virus. My PC is not
> infected with it, and I don't even know where it is coming from.. I
> could setup filters but i was more concerned about the BW that it eats
> up, when i download my mails from the server on a dial-up connection.
>
> Is there any way in which i can configure my SMTP server to stop
> receiving mails that contain this virus. How do i attack this problem.??

I set up a cron job that runs mailfilter 10 times an hour. I configured
mailfilter to delete any e-mail from a stranger that has an attachment
greater than 50K. While I was at it I added a bunch of subject filters
that deletes the bounces caused by SvenA plus the usual viagra, penis,
vicodin stuff plus anything that uses an Asian character set. Mailfilter
allows you to set up a white list of known e-mail addresses that are
permitted to send you attachments so you don't have to worry about killing
e-mails from friends or colleagues.

"Shashank Khanvilkar" <shashank@mia.ece.uic.edu> writes:
>> Do you have administrative access to the server? If not, contact your ISP,

>I have administrative access to one of my servers... but the other is
>controlled by someone esle.. and unfortunataly i am receiving such mails on
>both mail accounts.

>I already have spam-assasin, which is not doing a very good job..
>But that is not of concern, as i may have misconfigured it.

>My real concern is how can one remedy this problem at the root.. Even if i
>install anti-virus software, my server is still receiving those bloody
>emails, wasting a lot of BW. Isn't there any current mechanism built into
>SMTP, which will automatically stop relaying messages from the culprit,
>right at the first hop, and if not what can be done about it.

>All Comments appreciated.

Procmail can be VERY effective at deleting Swen when it reaches your
servers. A single line is sufficient to dump all the Swen, well, at
least all the Swen that hasn't been castrated by removing the binary
of the virus itself. And it is FAR more effective at this than
Spam-assassin, which can build up vast databases trying to cope with
large quantities of this binary mail.

As for stopping it before it reaches your server, log the domains
that are delivering the bulk of the Swen to your server. I would
suggest that dropping about a dozen or two ip address ranges, that
you are never going to receive a legitimate email from in your life,
into a block list would eliminate 3/4 of all the Swen virus.

Here are my top candidate domains for adding to block lists.

fg.online.no 152
ocn.ne.jp 154
bigpond.com 176
so-net.ne.jp 193
libertysurf.net 195
telus.net 209
wanadoo.fr 247
singnet.com.sg 263
inet.fi 315
btinternet.com 353
dion.ne.jp 358
dublin.eircom.net 372
tiscali.it 485
tin.it 549
hetnet.nl 555

A total of 10832 Swen received from 1032 domains in the last 4 weeks.

Ocn.ne.jp occasionally says they are doing something but their Swen
count keeps climing as fast as ever. Telus.net, the same. All appear
to be working very hard to really do nothing to stop spewing Swen.

And, btinternet's count is actually hundreds higher, they spewed 99
from blueyonder plus other domains.

But, 80% of the domains that have spewed Swen at me quickly put a stop
to this after getting a complaint about this and rarely did one of them
ever send another one.

So, see if you have legitimate customers from any of your top two dozen
spew hosts, and if it won't kill you then just kill them with a block
list. It will make life easier. If you want to bounce their binary
back at their abuse address for the domain, maybe even better. A few
days of blowing ten million Swen back at each of these might make them
put the rest of the world in their block lists and we could all get
on with the net. But they won't do anything about it.

--

More than 20 years ago when I first got involved with the net
everyone on the net was either a white collar professional,
who would never think of doing anything to risk their reputation,
or was a student and knew what we would do to them if they did.

I apologize for most of what the net has become. I'm sorry.
I'm very very sorry. It was never meant to turn out this way.

jus like to add that it is not only you recieving these viruses, i am also
being bombarded by the swen virus....it a pain in the arse.....i wasnt going
to say anything....just hope that it dies out.........

In <comp.os.linux.networking> Shashank Khanvilkar <shashank@mia.ece.uic.edu> wrote:
> Hi,
>
> I am receiving these annoying mails containing swen virus. My PC is not
> infected with it, and I don't even know where it is coming from.. I could
> setup filters but i was more concerned about the BW that it eats up, when i
> download my mails from the server on a dial-up connection.

If you're downloading from remote POP3 account, then you can write a
script to fetch only top 50 lines of an email. You can then have the
server to delete it. Or, write ~/.procmailrc on that server. I use

:0
* boundary=\"[a-z]+\"
spam

:0HB
* ^Content-Type: (text/html|audio/x-(wav|midi)|application/x-(msdownload|zip-compressed))
spam

>
> Is there any way in which i can configure my SMTP server to stop receiving
> mails that contain this virus.
> How do i attack this problem.??

No, you are downloading from POP3 server. Even if you refuse to accept
the emails, you will still download the entire email from the remote
server.

--
William Park, Open Geometry Consulting, <opengeometry@yahoo.ca>
Linux solution for data management and processing.

Shashank Khanvilkar wrote:
> Hi,
>
> I am receiving these annoying mails containing swen virus. My PC is not
> infected with it, and I don't even know where it is coming from.. I could
> setup filters but i was more concerned about the BW that it eats up, when i
> download my mails from the server on a dial-up connection.
>
> Is there any way in which i can configure my SMTP server to stop receiving
> mails that contain this virus.
> How do i attack this problem.??
>
>
>
comp.mail.sendmail - it will take you a couple of weeks and some pain to
learn what "you" need to do. I say "you" because your setup is not my setup.

I REJECT (in access) mail from af, al, as, ad, ao, ai, ..... zw
along with about 30 IP's and any email over 140000 bytes in size.

And I contact the abuse@whatever.xyz the mail is passed thru.

Rots'a Ruck

"Shashank Khanvilkar" <shashank@mia.ece.uic.edu> wrote in message
news:boon2m$7oo$1@newsx.cc.uic.edu

> I am receiving these annoying mails containing swen virus. My PC is
> not infected with it, and I don't even know where it is coming from..

It's coming from posting your email address in Usenet; see it above.

Ever notice that Swen is News spelled backwards? Your address is being
harvested by the virus from the newsgroup postings you've made.


tony

--
use hotmail com for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

Don Taylor wrote:

>
> More than 20 years ago when I first got involved with the net
> everyone on the net was either a white collar professional,
> who would never think of doing anything to risk their reputation,
> or was a student and knew what we would do to them if they did.
>
> I apologize for most of what the net has become. I'm sorry.
> I'm very very sorry. It was never meant to turn out this way.

Ever noticed the parallels in the evolution of the net and of linux? From
the moment on that big business has discovered it, the pros and cons sit
close together.

Theo

On Mon, 10 Nov 2003 12:52:40 -0600, Shashank Khanvilkar
<shashank@mia.ece.uic.edu> wrote:
>Hi,
>
>I am receiving these annoying mails containing swen virus. My PC is not
>infected with it, and I don't even know where it is coming from.. I could
>setup filters but i was more concerned about the BW that it eats up, when i
>download my mails from the server on a dial-up connection.
>
>Is there any way in which i can configure my SMTP server to stop receiving
>mails that contain this virus.
>How do i attack this problem.??

I use mailfilter which you can configure for specific words in the To:,
From:, and Subject: lines. It contacts the server and deletes the emails on
the server periodically (with crontab), so that they are never actually
brought in from the server to my dial-up connected computer.

I have it set up both manually and with a crontab where that is performed
first and then the mail is fetched (I use getpop3).

....Edwin

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Edwin Johnson ....... elj@shreve.net ~
~ http://www.shreve.net/~elj ~
~ ~
~ "Once you have flown, you will walk the ~
~ earth with your eyes turned skyward, ~
~ for there you have been, there you long ~
~ to return." -- da Vinci ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> I have administrative access to one of my servers... but the other is
> controlled by someone esle.. and unfortunataly i am receiving such
> mails on both mail accounts.
>
> I already have spam-assasin, which is not doing a very good job..
> But that is not of concern, as i may have misconfigured it.

There really isn't a way to solve this problem at its source. Worms are
grabbing email addresses off USENET, private address books, etc. Even my
most trustworthy contacts have allowed my addresses to be harvested by
spammers, since they haven't been careful about their desktop security.

The only long term solution appears to be the use of time-limited email
addresses.

Another way to block email from infected machines is to use DNSBL (DNS-
based blocklists) at your mail server. I find that 'psbl.surriel.com' is
great at blocking infected hosts. Others that are blocking a substantial
amount of virus/spam are 'blackholes.easynet.nl' and 'list.dsbl.org'

Those DNSBL's will prevent the mail from even being accepted by your mail
server. You (or your ISP) should also add processing after the mail enters
your server. Software as simple as renattach can block your worms by
filtering or dropping messages based on attachment filename

http://www.pc-tools.net/unix/renattach/

(1.2.0rc2 will be released today)

--
Jem Berkes
http://www.sysdesign.ca/