swen emails are missing the date: header line! Might be a new insight in to how to filter that stuf

[Mike]

Hi,

just jumped into my eye. From time to time I check the old swen
messages again and again, to find clues.

As we all know, the id-10-t who wrote that, incorporated an smtp
client.
That client is sending to port 25 of whatever smtp server is
configured on the host where the worm unfolds.

That's how it controls the couple of letters only fake host ID.

The idiot forgot the date header in his fake header.

All swen messages are missing it , well it's the identical binary
everywhere.

How I found out?

a /warning: date header inserted by..../ was added after the swen
lines, by some mail servers (after means, in the header line sequence
'above' the last swen header line).


I checked all mails in all mailboxes on all our systems:
All have a Date: header, except swen emails.


This omission should now enable everyone to kill that stuff.


Can anyone find 'honest' emails that are missing Date: headers?

Maybe some spam does not either?


Mike

 

[Sneezy]

Hi,

just jumped into my eye. From time to time I check the old swen
messages again and again, to find clues.

As we all know, the id-10-t who wrote that, incorporated an smtp
client.
That client is sending to port 25 of whatever smtp server is
configured on the host where the worm unfolds.

That's how it controls the couple of letters only fake host ID.

The idiot forgot the date header in his fake header.

All swen messages are missing it , well it's the identical binary
everywhere.

How I found out?

a /warning: date header inserted by..../ was added after the swen
lines, by some mail servers (after means, in the header line sequence
'above' the last swen header line).


I checked all mails in all mailboxes on all our systems:
All have a Date: header, except swen emails.


This omission should now enable everyone to kill that stuff.


Can anyone find 'honest' emails that are missing Date: headers?

Maybe some spam does not either?

I've noticed that SpamPal's regexFilter plugin appears to catch most virus
laden emails. I had a quick look and it does check dates:

-DATE: 59.4
{(??:Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s*,\s*)?(?:[1-9]|[12][0-9]|3[01])\s+(Jan
|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+(?:\d{2,4})\s+\d\d:\d\d(?::\
d\d)?\s+\"?(?:[+-]0\d\d\d|[+-]1[0-3]\d\d|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT
)\"?} [INVALID_DATE Invalid Date: header (not RFC 2822)]
DATE: 444.0 {[-+](?:1[4-9]\d\d|[2-9]\d\d\d)$} [INVALID_DATE_TZ_ABSURD
Invalid Date: header (timezone does not exist)]
DATE: 430.0 {[nbrylgptvc]\s+0\d\d\d(?:\s|$)} [DATE_YEAR_ZERO_FIRST Invalid
Date: year begins with zero]
-HEADER: 147.2 "Date" [DATE_MISSING Missing Date: header]

I also added a regex for attachments renamed by ZA Pro, just to make
certain.

john

 

[me]

Hi,

just jumped into my eye. From time to time I check the old swen
messages again and again, to find clues.

As we all know, the id-10-t who wrote that, incorporated an smtp
client.
That client is sending to port 25 of whatever smtp server is
configured on the host where the worm unfolds.

That's how it controls the couple of letters only fake host ID.

The idiot forgot the date header in his fake header.

All swen messages are missing it , well it's the identical binary
everywhere.

How I found out?

a /warning: date header inserted by..../ was added after the swen
lines, by some mail servers (after means, in the header line sequence
'above' the last swen header line).

I checked all mails in all mailboxes on all our systems:
All have a Date: header, except swen emails.

This omission should now enable everyone to kill that stuff.

Can anyone find 'honest' emails that are missing Date: headers?

Maybe some spam does not either?

Mike

Some spams don't have the 'Date:' line. However:
- it's very rare (one percent? less than 1%?)
- I've seen it (no Date only on email service with a
proprietary s/w (see my sig)
- I can't prove it

J