Sven again

[Rev. Roger]

Is there, anywhere out there, a comprehensive list of the Subject lines or
the From lines that this beast uses. I now have 175 filters going and I am
still getting 4 - 6 messages every few hours.




The only thing that frustrates me is frustration.

 

[Jeroen]

"Rev. Roger @dsl.pipex.com>" <ch<NOSPAM> wrote in message
: Is there, anywhere out there, a comprehensive list of the Subject lines or
: the From lines that this beast uses. I now have 175 filters going and I
am
: still getting 4 - 6 messages every few hours.
:
:
:
:
: The only thing that frustrates me is frustration.
:
At the symantec site is a virusdescription, containing a list of al the
words SWEN puts in its subjectlines.

 

[Frans Meijer]

Is there, anywhere out there, a comprehensive list of the Subject lines or
the From lines that this beast uses. I now have 175 filters going and I am
still getting 4 - 6 messages every few hours.

Stop everything with an executable attachment and/or with either of
<iframe src=
"December 2003, Cumulative Patch
in the body

 

[Nick FitzGerald]

: Is there, anywhere out there, a comprehensive list of the Subject lines or
: the From lines that this beast uses. I now have 175 filters going and I am
: still getting 4 - 6 messages every few hours.
:
At the symantec site is a virusdescription, containing a list of al the
words SWEN puts in its subjectlines.

Whilst correct, that does not especially help the OP as using a simple filter
(presumably the OP is talking about Outlook or OE "filtering"??) to block all
messgaes with any of those words in their Subject: lines will have a horrendous
false positive rate.

And further, even that woudn't be enough. I occasionally receive Swen messages
as a "complete attachment" to a _real_ bounce or content/virus filter rejection
message and more often than not these messages have Subject: lines entirely of
mail server's/content filter's own devising, bearing no relationship to the
original, Swen-generated Subject: line of the undelivered/rejected message.

Thus, Subject: line filtering -- at least in its chronically trivial form as
present in several Email clients -- is an extraordinarily poor approach to
blocking Swen and should be abandoned rather than persisted with. If receiving
Swen (and presumably other viruses) is such a bothersome, loathsome event the
OP should get a better Email client (one which allows truly sophisticated
filtering) or an AV or content filter package that will pre-filter not only
known viruses but "other likely bad staff" from their Email or sign up to an
ISP (or move their Email to an Email ASP) that offers virus scanning (and/or
other advanced content filtering) options.

 

[Nick FitzGerald]

Stop everything with an executable attachment ...

....for a sufficiently intelligent definition of "executable" (that is, do
not just depend on stopping files with a .EXE extension).

... and/or with either of
<iframe src=

Not all Swen messages have this -- the "fake bounce" form of message does
_NOT_ use this.

"December 2003, Cumulative Patch
in the body

....so long as you remember to add "January 2004...", "February 2004..." and
so on variations as the months tick by. And, given the massive numbers of
Sobig.F-carrying messages we are still seeing long after its date-based
"drop-dead" trigger has passed, I'd suggest that you back-fill the past
several months as well...

 

[Frederic Bonroy]

Rev. Roger

Is there, anywhere out there, a comprehensive list of the Subject lines or
the From lines that this beast uses. I now have 175 filters going and I am
still getting 4 - 6 messages every few hours.

A radical approach would be to simply block/delete any message that does
not have your email address in the "To:" field.

Careful: this will also nuke messages BCCed to you and probably cause
problems if you subscribe to mailing lists. Personally I found that it
blocks Swen very effectively; you can define additional filters to spare
mailing list contributions. As a nice side effect it will also reduce
the amount of spam. If you don't use mailing lists and nobody ever BCCs
you then it's worth trying out. You have been warned though.

 

[wayne]

I downloaded MMM3 and used the latest Swen A filter and the combination is
working nicely for me . But I was only getting a few mails a day.

Both free, by the way.

http://home.fiam.net/mikejenn/MMM3.html

ftp://invircible.com/pub/iv/xswen4mmm.zip

Wayne

 

[Nick FitzGerald]

"Jeroen" <[email protected]> to me:

He asked for a list of subjectlines, that's what I directed him to.

That's cool and I was not "criticizing" your response.

I was criticizing the thinking on the part of the OP that (simple) Subject:
line filtering might even be tenable. Because you had already responded
I chose to reply to your message, pointing out that whilst correct, it was
not actually "helpful" in the sense the OP might have imagined.

ISP's that filter out virusses are few and far between, at least in my
region. A different mailclient would not be rather drastic and, same as
AV-software, does the filtering after the mail has been downloaded.

Even better would be a dedicated mailfilter, like mailwasher, that also
deletes the unwanted mail on the server, without download it.

Indeed.

And there are services that can clear your Email from multiple POP3 and
IMAP accounts ocross multiple servers, filter it and then all you have to
do is remove your Email client's multi-account configuration and point it
at the one account on that service's mail server (though you may wish to
retain the ability the ability to post as multiple "personalities" so then
exactly what you would have to do would depend on how your Email client
handles such matters...).

Before you critisise somebody's help or advice, you'd better make sure yours
is 100%. ...

It did and it was.

... It's too easy to critise.

And I know that as I am an expert critic, both just for the sake of it and
when I have expert views and opinions worth sharing...

Perhaps you should take your own advice before responding to your betters
next time?

 

[Rev. Roger]

Why doesnt someone come up wth a filter for Outlook that simply deletes the
whole Email if it is infected rather than just the attachment (maybe even
from the server as well). Problem solved mailbox healthy once more )

Ahhh I wish I had gone into programming, I could have made a mint on this
;/


The only thing that frustrates me is frustration.

 

[FromTheRafters]

Why doesnt someone come up wth a filter for Outlook that simply deletes the
whole Email if it is infected rather than just the attachment (maybe even
from the server as well). Problem solved mailbox healthy once more )

Ahhh I wish I had gone into programming, I could have made a mint on this
;/

An excellent idea!

....but your first order of business might be to eliminate that
pesky "false positive detection" problem - and that in itself
could make you a wealthy man.

 

[Rev. Roger]

Hmm perhaps I'm a little dumb here but....


If the virus within the attachment is identified (as NAV and most other AV's
identifies them), and this is then used as the filter (attachment has
virus=Delete Email/Virus from server, or at least =dont download) then
there would be few if any instances of "false positive detection"

:0

Or am I just campletely off the wall here

btw using the first words fronm those lists (I dont often get emails from
MS) I am now able to send most of em off to the "Deleted" folder.

The only thing that frustrates me is frustration.

 

[David W. Hodgins]

If the virus within the attachment is identified (as NAV and most other AV's
identifies them), and this is then used as the filter (attachment has
virus=Delete Email/Virus from server, or at least =dont download) then
there would be few if any instances of "false positive detection"

How is the virus scanner supposed to scan the file, before you download it?

 

[kurt wismer]

Rev. Roger

Hmm perhaps I'm a little dumb here but....


If the virus within the attachment is identified (as NAV and most other AV's
identifies them), and this is then used as the filter (attachment has
virus=Delete Email/Virus from server, or at least =dont download) then
there would be few if any instances of "false positive detection"

:0

Or am I just campletely off the wall here

no, you're not completely off the wall... false positives are fairly
well minimized, but they haven't been eliminated... thus automagically
deleting *will* occasionally delete perfectly legitimate emails... and
who do you think would be held accountable if such important legitimate
emails got deleted? the av vendor of course, because in spite of
knowing full well their detection was imperfect they acted on the
results as though the detection was perfect...

 

[FromTheRafters]

Hmm perhaps I'm a little dumb here but....


If the virus within the attachment is identified (as NAV and most other AV's
identifies them), and this is then used as the filter (attachment has
virus=Delete Email/Virus from server, or at least =dont download) then
there would be few if any instances of "false positive detection"

:0

Or am I just campletely off the wall here

Although not the norm these days, there are viruses that attach their
newly infected executable to a legitimate e-mail that the "current victim"
did or does intend to send. What you propose is called "throwing out
the baby with the bathwater" in that a legitimate e-mail has been deleted
by an AV program. Also, false positve detections do happen. In at least
one case, an innocuous phrase ('Eddie lives...somewhere in time!') is maybe
legitimately detected as a virus' payload damaged file. What if the program
trashes a legitimate e-mail that was important to someone because the AV
program found enough reasons to think it malicious?

btw using the first words fronm those lists (I dont often get emails from
MS) I am now able to send most of em off to the "Deleted" folder.

The deleted folder is okay, because things are still user retrieveable. If
the program actually deletes things, it is much harder to recover them
if needed.

I'm not knocking your idea, but the real focus would have to be
on a more acceptable (100% will suffice) lack of false positive
detections.