charles kuchar wrote / skrev:
Theese emails originate from infected machines.
http://www.microsoft.com/technet/security/virus/alerts/swen.asp
You can do the following to help stop the flood:
Report the emails to the appropriate abuse-department. Appropriate being
the originating IP-adress. See
http://www.spamcop.org for information
about how to find out the originating IP-adress if you don't know how to
do that.
Report immediately, for each message received. You have no way of
knowing if two messages come from the same infected computer, or two
infected computers in the same domain. Swen is written to spread to
computers closely, as as well as worldwide. The longer you wait, the
more computers might be infected from a computer you are getting Swen
from.
IMHO, more infection reports will go to an ISP when you politely wait,
than your duplicate reports produce.
I started reporting each Swen email a week ago, when I was getting 75
- 100 / day. This was a fscking nuisance, but today I have gotten
only 1. It is quicker to report each one immediately, than to
maintain a list of what you report, and know when to wait to follow
up.
There is one and only one valid way to identify the ISP for the
infected computer, which requires that you examine the headers. Here
is an example:
####### Start Example #######
Return-Path: <
[email protected]>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id
h95L6baQ017487
for <
[email protected]>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
for <
[email protected]>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
(e-mail address removed))
Message-ID: <
[email protected]> (added by
(e-mail address removed))
FROM: "Security Division" <
[email protected]>
TO: "Commercial Customer" <
[email protected]>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0
tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HTML_NO_CHARSET,
MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
Microsoft Customer
this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH
####### End Example #######
The infected computer, in the example, is adqy (62.11.181.97).
10/6/2003 10:08:03 whois -h whois.ripe.net 62.11.181.97
remarks: | PLEASE CONTACT OUR ABUSE DIVISION (
[email protected]) |
remarks: | FOR ABUSE and-or SPAM COMPLAINTS. |
Send this complaint, with full headers, to (e-mail address removed).
There are any number of online whois lookup tools. I use All-NetTools
(
http://www.all-nettools.com/tools1.htm ) and Broadband Reports (
http://www.dslreports.com/whois ).
Also, there are several tools which you can install. I use Sam Spade
(
http://www.samspade.org/ssw/ ) and TESP ABouncer (
http://www.tesp.com/abounce/ ). Both contain whois and other tools,
and both help you format and send the complaint.
Cheers,
Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.
