Another SWEN coming in every hour

[Gabriele Neukam]

On that special day, Veronica Loell, ([email protected]) said...

Don't you mean NNTP-engine?

Sorry, I mixed up the abbreviations. NNTP is the correct term.


Gabriele Neukam

(e-mail address removed)

 

[Jan Il]

Hi Gabriele -

On that special day, Jan Il, ([email protected]) said...


Aha. Does the header of the slipped-through message look like
this:

Return-Path: <[email protected]>
Received: from imsm033.netvigator.com ([219.76.116.130]) by
mailin04.sul.t-online.de
with smtp id 1A0Gj4-1MZ5W40; Fri, 19 Sep 2003 10:34:50 +0200
Received: (qmail 16398 invoked from network); 19 Sep 2003 08:33:26 -0000
Received: from pcd395148.netvigator.com (HELO marnrt) (203.218.185.148)
by imsm033.netvigator.com with SMTP; 19 Sep 2003 08:33:26 -0000
FROM: "Customer Assistance" <[email protected]>
TO: "Customer" <[email protected]>
SUBJECT: Newest Network Upgrade
Mime-Version: 1.0
X-Seen: false
X-Mailer: T-Online eMail 4.111
Date: 19 Sep 2003 14:04 GMT
Content-Type: multipart/mixed; boundary="ngbfqxohnpdwed"

This is a very rare specimen that I received on September 19th, which
doesn't contain the M-word in the "From:" line. This does happen,
although only once per one hundred mails, or so. Maybe *that's* the
problem.


Gabriele Neukam

I will check the details and other information on the next one that comes
down, and compare it to what you have here. However, I have seen and
received many variations of this worm, including From: Technical Support,
Network Support, Customer Support, etc. which do not have any M word in
them. These of course, were getting through the Rule set only for an M, MS
or Microsoft. However, once I set the Rule for any message with an
attachment, delete from server, they are deleted and never downloaded. The
ones with M, MS and Microsoft that are somehow managing to download in spite
of the Rule appear to have a different makeup. I haven't been able to put my
finger on it yet, it looks like a lot of 'stuff' to me, not being a writer
of this kind of junk, so, now that I have something to compare it to I might
be able to get a bit more insight.

If I find anything I'll post back and let you know.

Thank you very much for the additional information, and the details, I truly
appreciate it.

Best regards,
Jan

 

[Jan Il]

Hi Bart -

In Message-ID:<dyqfb.40162$gv5.20015@fed1read05> posted on Fri, 3 Oct


emailed to what I hope is a valid addy <g>

Just wanted to let you know that your filers appear to be holding well, no
sneaky thingies as yet....and....no snoopers. ;-))

Thanks for your help, I appreciate it.

Jan

 

[Bart Bailey]

In Message-ID:<PxEfb.43590$gv5.39249@fed1read05> posted on Sat, 4 Oct

Just wanted to let you know that your filers appear to be holding well, no
sneaky thingies as yet....and....no snoopers. ;-))

Glad to hear it.
It's the HTML filter that's toting the load so to speak,
without the gaping holes in that,
kiddies can only try to SE some fool into running their gems. <g>
Only one bad guy managed to slide by last night,
I had to add the word "Patch" to the word list for bodies or headers.
As you can see from the list of disabled rules, I had tried many things,
which were eventually covered in rule #1. You can delete all that other
stuff if you like, but it doesn't take a lot of disk space if you don't.

 

[Jan Il]

Hi Bart -

In Message-ID:<PxEfb.43590$gv5.39249@fed1read05> posted on Sat, 4 Oct


Glad to hear it.
It's the HTML filter that's toting the load so to speak,
without the gaping holes in that,
kiddies can only try to SE some fool into running their gems. <g>
Only one bad guy managed to slide by last night,
I had to add the word "Patch" to the word list for bodies or headers.
As you can see from the list of disabled rules, I had tried many things,
which were eventually covered in rule #1. You can delete all that other
stuff if you like, but it doesn't take a lot of disk space if you don't.

Ahm...think I might as well just keep the tag-alongs for now. Never know
when the reference may come in handy.
At least I have an idea of what you've already tried. Thanks for the info on
the "Patch", might better add it on this end too, just in case. <g>

Thanks Bart...

Jan

 

[Knack]

Using OE Block Sender function is waste of time. Create the following
rule in Outlook Express to filter out the bulk of W32/Swen generated e-
mail.

"Where the To or CC line does not contain <your e-mail address> and
Where the message has an attachment Delete it from server"

Note: you should be able to create a similar rule or filter in most e-
mail readers.

Some of the Swen worm messages have no headers, making it impossible to
filter via OE6. However the current version of the Magic Mail Monitor
freeware utility can inspect an adjustable number of message body lines,
which can enable it to automatically filter-delete such cases of Swen from
the server. I downloaded and installed MMM, but it doesn't reliably accept
the host name for my Earthlink POP3 mail server, so most of the time it
doesn't work.

 

[Bart Bailey]

In Message-ID:<[email protected]>

Some of the Swen worm messages have no headers

Huh?

 

[Knack]

In Message-ID:<[email protected]>


Huh?

Yeah. Blank fields in the From and Subject. Those damn malware authors have
thought of everything. The next version of OE will need a filter feature for
messages having either no From or no Subject.

 

[Knack]

Hmmm... does Earthlink give you x-amount of server space in each e-mail
adddress, or just a total amount for all addresses combined? Because if they
give me a total combined amount, then I'll still have to manage the messages
coming into the address that's getting the spam/worm/virus stuff. With the
worm/virus attachments, that crap can fill my mail space alottment pretty
quick.

BTW, I have the Earthlink US$22/month dialup service. I choose not use their
browser though. I wish the included popup blocker software was separately
downloadable. It cannot be installed unless the Earthlink browser is
installed.

If you have the same type acct w/ EL as I do, you can have a number of email
addresses. Make one your main acct and don't use it for anything other than
that - no email or usenet etc purposes. Then create a few more as possible
throwaways and use those for email and maybe a munged usenet posted
address.. When posting on usenet either munge or use a totally bogus address
in the header.

When a particular email addy gets on a virus or spam list, you can jetison
it.

When will it die out? The overall problem is getting worse, not better, so
it's not a question of when swen goes away, other worse stuff will
eventually show up.

C

There is no Swen coming into the Hotmail account, and Hotmail mail is not
forwarded to Earthlink. OK, I blundered with 2 or 3 posts a week or 2

ago

and
posted to Usenet with a Netscape Communicator user profile that has my full
name and Earthlink address.

But I've since been posting with Knack and the Hotmail address. My old posts
are still available to Swen though. I wonder how many more weeks or

months

it
will keep retrieving my Earthlink address from those posts.

How long does it take for a particular worm to die out, and what causes

it

to
stop?

so

 

[Knack]

At the time I posted this thread I was using old Netscape Communicator 4.7,
which had a mail filter that was incapable of deleting messages from the
POP3 server. It could only sort out between Inbox and Trash after
downloading it all. I've since installed IE6 (with OE6 included) and can now
filter-delete at the server before anything gets downloaded. However, I've
noticed that some Swen messages arrive without a header :-(

 

[Bart Bailey]

In Message-ID:<[email protected]>

Yeah. Blank fields in the From and Subject.

So the From and Subject comprise the totality of the header?

 

[Jan Il]

Gabriele -

On that special day, Jan Il, ([email protected]) said...

Delete from server; and one keyword, M, to make sure there was no confusion.
It would seem logical that if the Rule is working with other Swen messages
starting with M and have attachments, and does delete them from the server,
it should these others too, but, that is not happening.

Aha. Does the header of the slipped-through message look like
this:

Return-Path: <[email protected]>
Received: from imsm033.netvigator.com ([219.76.116.130]) by
mailin04.sul.t-online.de
with smtp id 1A0Gj4-1MZ5W40; Fri, 19 Sep 2003 10:34:50 +0200
Received: (qmail 16398 invoked from network); 19 Sep 2003 08:33:26 -0000
Received: from pcd395148.netvigator.com (HELO marnrt) (203.218.185.148)
by imsm033.netvigator.com with SMTP; 19 Sep 2003 08:33:26 -0000
FROM: "Customer Assistance" <[email protected]>
TO: "Customer" <[email protected]>
SUBJECT: Newest Network Upgrade
Mime-Version: 1.0
X-Seen: false
X-Mailer: T-Online eMail 4.111
Date: 19 Sep 2003 14:04 GMT
Content-Type: multipart/mixed; boundary="ngbfqxohnpdwed"

This is a very rare specimen that I received on September 19th, which
doesn't contain the M-word in the "From:" line. This does happen,
although only once per one hundred mails, or so. Maybe *that's* the
problem.

Below is the type of Swen message that has been stopped by the OE Rule now
in place as I have desecibed. This type of message is showing up in my
Inbox.

Return-Path: <[email protected]>
Received: from mailsvcs.mail.pas.earthlink.net ([207.217.120.251])
by fed1mtai04.cox.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
id
<20031004184316.UDDN9057.fed1mtai04.cox.net@mailsvcs.mail.pas.earthlink.net>
for <[email protected]>; Sat, 4 Oct 2003 14:43:16 -0400
Received: from root by mailsvcs.mail.pas.earthlink.net with local-bsmtp
(Exim 3.33 #1)
id 1A5rAa-0007Ct-00; Sat, 04 Oct 2003 11:30:20 -0700
Received: from user-38lc284.dialup.mindspring.com ([209.86.9.4] helo=dcei)
by epic.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
id 1A5qyy-0005BJ-00; Sat, 04 Oct 2003 11:18:21 -0700
FROM: "MS Security Services" <[email protected]>
TO: "Customer" <[email protected]>
SUBJECT: latest network security patch
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="lvbvhgsvyg"
Message-Id: <[email protected]>
Date: Sat, 04 Oct 2003 11:18:21 -0700


The following message is a sample of the type that is being downloaded in
spite of the Rule in place.

Return-Path: <[email protected]> Received: from wzdnthl ([68.3.39.71
(InterMail vM.5.01.06.05 201- id <20031006025351.HJGF8 Sun, 5 Oct
200322:53:51 -04
FROM: "Microsoft Security Center" TO: "Client" <jpykttgv .dororv@supp
SUBJECT: new net critical patch
Mime-Version: 1.0
Content- Type: multipart/mixed; bou Message-Id: <20031006025351.HJ Date:
Sun, 5 Oct 2003 22:53:56 -04

There appears to be seem difference, but, I'm no expert so..., I don't know.
All I know is, these type of messages are able to download in spite of the
Rule that I have already explined in place.

Jan

 

[Knack]

In Message-ID:<[email protected]>


So the From and Subject comprise the totality of the header?

Well, the date is also part of the header too.

 

[Bart Bailey]

In Message-ID:<fF8gb.121$f%[email protected]> posted

Well, the date is also part of the header too.

Anything else?
What about the path?
Are you saying there's nothing in the header space
in some mail you received?

 

[Gabriele Neukam]

On that special day, Jan Il, ([email protected]) said...

Below is the type of Swen message that has been stopped by the OE Rule now
in place as I have desecibed. This type of message is showing up in my
Inbox.

Return-Path: <[email protected]>
Received: from mailsvcs.mail.pas.earthlink.net ([207.217.120.251])
by fed1mtai04.cox.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
id
<20031004184316.UDDN9057.fed1mtai04.cox.net@mailsvcs.mail.pas.earthlink.net>
for <[email protected]>; Sat, 4 Oct 2003 14:43:16 -0400
Received: from root by mailsvcs.mail.pas.earthlink.net with local-bsmtp
(Exim 3.33 #1)
id 1A5rAa-0007Ct-00; Sat, 04 Oct 2003 11:30:20 -0700
Received: from user-38lc284.dialup.mindspring.com ([209.86.9.4] helo=dcei)
by epic.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
id 1A5qyy-0005BJ-00; Sat, 04 Oct 2003 11:18:21 -0700
FROM: "MS Security Services" <[email protected]>
TO: "Customer" <[email protected]>
SUBJECT: latest network security patch ....
The following message is a sample of the type that is being downloaded in
spite of the Rule in place.

Return-Path: <[email protected]> Received: from wzdnthl ([68.3.39.71
(InterMail vM.5.01.06.05 201- id <20031006025351.HJGF8 Sun, 5 Oct
200322:53:51 -04
FROM: "Microsoft Security Center" TO: "Client" <jpykttgv .dororv@supp
SUBJECT: new net critical patch ....

There appears to be seem difference, but, I'm no expert so..., I don't know.
All I know is, these type of messages are able to download in spite of the
Rule that I have already explined in place.

Looking at these two, I find two elements that might give an
explanation.

1) the lower mail doesn't seem to have a "TO:" entry. But that just
seems to be some coincidence.

2) The first mail was sent from Earthlink to an account on Cox.net. I
suspect the affected account is yours.
The second mail is sent *from* Cox.net, and probably *to* Cox.net, too.
There is no "by that and that server" to be found in the "Received:"
line, which IMHO *should* have been there.

Maybe Cox doesn't treat "internal" mail as something that has to be
filtered at all? This would explain the "unexplainable deliverance".
Maybe they set this "feature" to avoid that any customer would
"accidentally" filter their newsletters (aka advertisment blurb)?

Here in Germany there are providers who will send "their" newsletters
and have them mailed to the recipient, regardless if the latter wants to
get them, or not, in any case.


Gabriele Neukam

(e-mail address removed)

 

[FromTheRafters]

Below is the type of Swen message that has been stopped by the OE Rule now
in place as I have desecibed. This type of message is showing up in my
Inbox.
[snip]

FROM: "MS Security Services" <[email protected]>
TO: "Customer" <[email protected]>

Sorry I'm so slow to understand, but is the effective rule here
the "From contains 'MS'" rule or the "not addressed to me"
rule.

The following message is a sample of the type that is being downloaded in
spite of the Rule in place.
[snip]

FROM: "Microsoft Security Center" TO: "Client" <jpykttgv .dororv@supp

Here, "From:" still contains "M", but "To:" doesn't have it's own line.
There was an issue some time ago where an AV product parsed the
header for "Content-Type" to check for "Incorrect MIME type" or
was it "Malformed header" vulnerability, a vulnerability in that routine
was found in that the "Content-Type" search was looking for an exact
(case sensitive) occurence of "Content-Type" whereas the e-mail
system didn't specify that that string be an exact case sensitive string
in order to work. E-mails crafted with "cOntEnt-TypE" were treated
by the e-mail programs as legitimate, but the AV would entirely miss
them and find no "Content-Type" to chack against the filename for
a type mismatch.

So is this another case of "brain dead" OE not even seeing "FROM:"
as "From:" and "TO:" as "To:" when filtering is being used?

....and does OE's filter algorithm only look for the from and to
as the start of a new line?

A "yes" to either of those questions wouldn't really surprise me.

There appears to be seem difference, but, I'm no expert so..., I don't know.
All I know is, these type of messages are able to download in spite of the
Rule that I have already explined in place.

Hopefully someone with SMTP knowledge will help here. If the RFC
doesn't specify that "From:" be used rather than "FROM:", and that
each of the "From:" and "To:" be on a separate line, then OE should
have its filters make up for the disparity by checking for each of the
possibilities.

 

[FromTheRafters]

At the time I posted this thread I was using old Netscape Communicator 4.7,
which had a mail filter that was incapable of deleting messages from the
POP3 server. It could only sort out between Inbox and Trash after
downloading it all. I've since installed IE6 (with OE6 included) and can now
filter-delete at the server before anything gets downloaded. However, I've
noticed that some Swen messages arrive without a header :-(

Impossible, the header is necessary for the e-mail to arrive.
Some fields may be blank, but the header is still there. To
see how the whole thing looks ~ in OE you can use the keys
CTRL and F3 together while the e-mail is highlighted. This
will show you the complete headers, and body of the e-mail.

 

[Jan Il]

Hi Gabriele -

On that special day, Jan Il, ([email protected]) said...

Below is the type of Swen message that has been stopped by the OE Rule now
in place as I have desecibed. This type of message is showing up in my
Inbox.

Return-Path: <[email protected]>
Received: from mailsvcs.mail.pas.earthlink.net ([207.217.120.251])
by fed1mtai04.cox.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
id

for <[email protected]>; Sat, 4 Oct 2003 14:43:16 -0400
Received: from root by mailsvcs.mail.pas.earthlink.net with local-bsmtp
(Exim 3.33 #1)
id 1A5rAa-0007Ct-00; Sat, 04 Oct 2003 11:30:20 -0700
Received: from user-38lc284.dialup.mindspring.com ([209.86.9.4] helo=dcei)
by epic.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
id 1A5qyy-0005BJ-00; Sat, 04 Oct 2003 11:18:21 -0700
FROM: "MS Security Services" <[email protected]>
TO: "Customer" <[email protected]>
SUBJECT: latest network security patch ...
The following message is a sample of the type that is being downloaded in
spite of the Rule in place.

Return-Path: <[email protected]> Received: from wzdnthl ([68.3.39.71
(InterMail vM.5.01.06.05 201- id <20031006025351.HJGF8 Sun, 5 Oct
200322:53:51 -04
FROM: "Microsoft Security Center" TO: "Client" <jpykttgv .dororv@supp
SUBJECT: new net critical patch ...

There appears to be seem difference, but, I'm no expert so..., I don't know.
All I know is, these type of messages are able to download in spite of the
Rule that I have already explined in place.

Looking at these two, I find two elements that might give an
explanation.

1) the lower mail doesn't seem to have a "TO:" entry. But that just
seems to be some coincidence.

2) The first mail was sent from Earthlink to an account on Cox.net. I
suspect the affected account is yours.
The second mail is sent *from* Cox.net, and probably *to* Cox.net, too.
There is no "by that and that server" to be found in the "Received:"
line, which IMHO *should* have been there.

Maybe Cox doesn't treat "internal" mail as something that has to be
filtered at all? This would explain the "unexplainable deliverance".
Maybe they set this "feature" to avoid that any customer would
"accidentally" filter their newsletters (aka advertisment blurb)?

Here in Germany there are providers who will send "their" newsletters
and have them mailed to the recipient, regardless if the latter wants to
get them, or not, in any case.

Since I have no scientific experience with these types of things, or know
exactly how they work, I have nothing to offer in addition to the
possibilities
that you have proposed. But, I did want to post an example of the particular
specimens of the messages that are, somehow, being downloaded in spite
of the Rule that 'is' working for all the others. I wanted folks to see what
I
was talking about in that these messages are different, how they are
different,
and are perhaps why they being allowed to get downloaded when others
aren't with the same Rule in place.

That Rule is as basic as I can think of. Rule..where the From line contains,
M, MS, Microsoft,... action; delete from server. I also tried it with the
'do not download' action. I even set the Rule for any message with an
attachment, delete from server. These still downloaded.

As an added piece of research, I uninstalled and reinstalled the OE6, to be
sure that if there was some file that had become corrupted somehow, that the
files were good. I have made an extended effort to do as much
troubleshooting, accurate testing and research as I can. I have tried to
present the results of all this in as clear and detailed a manner as I can
with my limited knowledge in this area.

I am still monitoring for research purposes between ...OE and MW. While MW
is working, and seems to be holding fairly well, although, today I got a few
new messages that managed to slither past the filters I now have in place,
which, does not surprise me, as there seems to be new wordings every few
days.

Thank you for your additional information and input, I truly do appreciate
it. At least you can now see why I said they were different from the others
I have been getting, and how.

Jan

 

[Jan Il]

Hi Rafters -

Below is the type of Swen message that has been stopped by the OE Rule now
in place as I have described. This type of message is showing up in my
Inbox.
[snip]

FROM: "MS Security Services" <[email protected]>
TO: "Customer" <[email protected]>

Sorry I'm so slow to understand, but is the effective rule here
the "From contains 'MS'" rule or the "not addressed to me"
rule.

You can update the information on this by reviewing your reply on 10/03/03
at 7:48p above in this thread regarding the rules I have had in place, and
testing with. And, my answer on 10/03/03 at 9:38p (this only to save
resources by not repeating the same information..<bg>). I did try the 'not
addressed to me', but it proved useless overall, even with the rest of the
messages. Seemed none but the spam care who the message was addressed to.
But, yes...the Rule is 'From contains M, MS, Microsoft'.

The following message is a sample of the type that is being downloaded in
spite of the Rule in place.
[snip]

FROM: "Microsoft Security Center" TO: "Client" <jpykttgv .dororv@supp

Here, "From:" still contains "M", but "To:" doesn't have it's own line.
There was an issue some time ago where an AV product parsed the
header for "Content-Type" to check for "Incorrect MIME type" or
was it "Malformed header" vulnerability, a vulnerability in that routine
was found in that the "Content-Type" search was looking for an exact
(case sensitive) occurrence of "Content-Type" whereas the e-mail
system didn't specify that string be an exact case sensitive string
in order to work. E-mails crafted with "cOntEnt-TypE" were treated
by the e-mail programs as legitimate, but the AV would entirely miss
them and find no "Content-Type" to check against the filename for
a type mismatch.

Yes...in regards to your comment on the case-sensitive issue...as I did try
various settings using all lower case, all upper case, normal
capitalization, etc. One thing I did find..using the same text format as in
the message does not 'always' work. So, I came to the conclusion, and
perhaps wrongly, that the issue might be more the exact wording, and not so
much the text case.

'k.....as an example, in a message regarding ..eh....Viagra....where the
Subject line contained V I A G R A, as opposed to Viagra. In keeping with
the theory of replicating the exact wording, I entered this in the Rule.
This did not stop the message with V I A G R A from coming through. Then I
went back and used V i a g r a, and I did not get any more messages that had
V I A G R A in the subject line. Now...at other times, the exact wording
worked just fine, such as with messages about ...ahmm ... well..... various
personal adjustments. So...go figure???

So is this another case of "brain dead" OE not even seeing "FROM:"
as "From:" and "TO:" as "To:" when filtering is being used?

I don't know...while for the most part there seems to be consistency in how
the rules work, there are times when OE appears to be oblivious to what it
is being fed.

...and does OE's filter algorithm only look for the from and to
as the start of a new line?

It would seem that it needs specific information before it seems to even
realize something is there. This is something that is built into the
program. The whole idea seems to be, to get the message downloaded to the
hard drive. It does not appear able to deliver it's payload if it is not
downloaded, so the whole intent is get it downloaded. MailWasher is not an
MS program, but OE is. Perhaps if someone is capable of writing a program to
use and affect MS programs and products to such an extent, is it not perhaps
possible that they have found a away to cloak these messages from the OE
brain works? However, this is mere speculation on my part, I really don't
know. But, it would seem that if they are capable of writing something this
damaging, they could be capable of anything.

A "yes" to either of those questions wouldn't really surprise me.


Hopefully someone with SMTP knowledge will help here. If the RFC
doesn't specify that "From:" be used rather than "FROM:", and that
each of the "From:" and "To:" be on a separate line, then OE should
have its filters make up for the disparity by checking for each of the
possibilities.

But Rafters, is it capable of doing this? Perhaps it is because it has not
run into this situation before, so, it does not know how to adjust to look
at data in any other way than it has been initially programmed to do. It has
been pointed out in this thread in various ways, OE can't think for itself,
it can only see and react to what it has been programmed to see and do. It
just runs data, it does not create data. It can not change the way it sees
or reacts to specific data as it is presented at it's door. But, that is
not to say that someone can't change the data on the other side of the door
to confuse. ???

I am in hopes that someone can shed some specific light on this. We know
Swen is not going to go away soon, and from the looks of it, it will be
taking on many different forms to find a way to deliver it's payload. That
is it's only objective.

Curiosity it what unlocked the secrets of the universe. To merely dismiss,
is to miss an opportunity to learn and grow.

Thank you very much for your time and additional input and information. I do
appreciate it.

 

[Jan Il]

Gabriele -

On that special day, Jan Il, ([email protected]) said...

<snip>

Here is the latest rogue that has managed to slip by the Rules. It is the
*first* Swen that I have had all day today.
****************************************************************************
*************
Return-Path: <[email protected]>
Received: from bqok ([68.2.29.228]) by fed1mtao05.cox.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP
id <20031008055437.RIYQ10143.fed1mtao05.cox.net@bqok>;
Wed, 8 Oct 2003 01:54:37 -0400
FROM: "Microsoft Corporation Security Assistance"
<[email protected]>
TO: "Client" <[email protected]>
SUBJECT: Newest Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ycjapcikbdtbyscl"
Message-Id: <20031008055437.RIYQ10143.fed1mtao05.cox.net@bqok>
Date: Wed, 8 Oct 2003 01:54:42 -0400
****************************************************************************
********
It is similar to the other one in that ...it has Microsoft in the FROM Line.
The Rule is that; any messsge that has M, MS, Microsoft in the FROM line is
to be deleted from the server. But, like the one that I posted earlier, it
is lacking some of the normal information, compared to the average Swen
messages. But, I don't know, ..it just got through. However...the Subject
line is new...at least as I have seen so far. I'll add it to the Rules...

Jan




..