I am getting twety to thirty emails a day Saying that it
is a critical update from Microsoft. It even has MS
logos and looks almost official. I ofcourse block the
sender and delete the file. I also get 20-30 emails
saying that my message was cancelled or returned, which I
also block and delete. The sender never sends the same
email address twice. So blocking really doesnt work in
this incidence, Why is emailed addres not verified befor
thay can be sent. TO have an email account, SSN and
Drivers License3s should be checked out. This is costing
companies billions of dollars and will eventually destoy
the internet. A good analogy might be why would you pull
you car or auto into or onto incoming traffic if you know
you are going to get hit. The internet is a nice thing
but we CAN LIVE WITHOUT IT
This is email from Swen, a worm which infects your computer, then
sends out copies of itself to various strangers on the internet (ie,
you).
You can delete it, or filter it. Neither action will stop it.
The only way to stop Swen email is to report the infected computers.
Swen has been known for so long that most anybody who knows anything
about computers is protected against it. The only ones left with
infected computers are the truly clueless. They will never fix their
computers on their own.
I started reporting each Swen email several weeks ago, when I was
getting 75 - 100 / day. This was a fscking nuisance, but I have
gotten none for the past week - all the computers that were hitting me
have either been taken offline or cleaned. You need to report each
infection as soon as you can; each email you're getting is also going
to somebody else who may become infected and make the problem worse.
There is one and only one valid way to identify the reporting address
for the infected computer, which requires that you examine the
headers. Here is an example:
####### Start Example #######
Return-Path: <
[email protected]>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id
h95L6baQ017487
for <
[email protected]>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
for <
[email protected]>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
(e-mail address removed))
Message-ID: <
[email protected]> (added by
(e-mail address removed))
FROM: "Security Division" <
[email protected]>
TO: "Commercial Customer" <
[email protected]>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0
tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HTML_NO_CHARSET,
MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
Microsoft Customer
this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH
####### End Example #######
The infected computer, in the example, is adqy (62.11.181.97).
10/6/2003 10:08:03 whois -h whois.ripe.net 62.11.181.97
remarks: | PLEASE CONTACT OUR ABUSE DIVISION (
[email protected]) |
remarks: | FOR ABUSE and-or SPAM COMPLAINTS. |
Send this complaint, with full headers, to (e-mail address removed).
There are any number of online whois lookup tools. I use All-NetTools
(
http://www.all-nettools.com/tools1.htm ) and Broadband Reports (
http://www.dslreports.com/whois ).
Also, there are several tools which you can install. I use Sam Spade
(
http://www.samspade.org/ssw/ ) and TESP ABouncer (
http://www.tesp.com/abounce/ ). Both contain whois and other tools,
and both help you format and send the complaint.
Any reports you send need to be very objective; I have learned from
others that subjective, whiny complaints do not result in 100%
success. My reports did. You have to be patient, too. Most ISPs
won't fix the problem in a day. Just keep reporting each email, as
you receive it.
Using TESP, I wrote and emailed a report (for this example) as
follows:
To: (e-mail address removed)
R33437 UBE from your network, containing virus: "Latest Network
Security Pack"
The attached Unsolicited Bulk Email (UBE) "Latest Network Security
Pack", which appears to contain copies of the Swen (Gibe) virus,
appears to originate from your network. Please take appropriate
action.
- - - - - - - - Begin Attached Message - - - - - - - -
Return-Path: <
[email protected]>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id h95L6baQ017487
for <
[email protected]>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
for <
[email protected]>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
(e-mail address removed))
Message-ID: <
[email protected](added by
(e-mail address removed))
FROM: "Security Division" <
[email protected]>
TO: "Commercial Customer" <
[email protected]>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0
tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HTML_NO_CHARSET,
MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
Microsoft Customer
this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH
Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.
