SWEN Worm SPAMmer...

  • Thread starter Thread starter Richard Kellerman
  • Start date Start date
R

Richard Kellerman

I just got another one this morn from IOL.PT/KPNQWEST.PT. Is there anyway
to stop him or the Worm? W/o adding every damn European/Asian server to the
RBL or something, is there something I'm overlooking?
 
I remember when i used to get hit by this.Set up some email filters and try
filtering it out.You will still however get the email but it ll be quick and
easy to delete
 
Quoth the raven Richard Kellerman:
I just got another one this morn from IOL.PT/KPNQWEST.PT. Is there anyway
to stop him or the Worm? W/o adding every damn European/Asian server to the
RBL or something,
Click to expand...

Or every US or European or Australian or ... server as well.
is there something I'm overlooking?
Click to expand...

Didn't you see my response to your other post? As long as you post
your email address in USENET in the clear - unmunged - you will get
Swens. Swen spelled backwards is News. Newsgroups. Swen harvests
target addresses from Usenet.

Change your address for posting to something like:
(e-mail address removed)
and if you really want email from strangers, put unmunging
instructions in your sig.
 
I just got another one this morn from IOL.PT/KPNQWEST.PT. Is there anyway
Click to expand...

Is that based on a lookup of the ip address in the received header, or the forged
from address?
to stop him or the Worm? W/o adding every damn European/Asian server to the
RBL or something, is there something I'm overlooking?
Click to expand...

Now that your email address is publicly available in usenet, you will continue
to get swen. If you start munging your address now, the swen will still flow, until
all of the messages you've posted have aged off of the servers being used by the
infected computers.

Munge your email address in usenet starting now!

If you run a google groups search on "swen filter", you'll find lots of messages, starting
back in September, when swen first hit. You can use a program like mailwasher to
delete the messages from the server, after downloading just the headers. You may want
to consider changing your email address, and only post using a munged version of
the new address.

If you're only getting a few copies, you can try running a lookup on the senders ip
address, and reporting the virus emails to the senders isp, but don't be surprised if
they're slow to actually get their customer to clean the computer.

Welcome to usenet<g>.

Regards, Dave Hodgins
 
Richard Kellerman said:
I just got another one this morn from IOL.PT/KPNQWEST.PT. Is there anyway
to stop him or the Worm? W/o adding every damn European/Asian server to the
RBL or something, is there something I'm overlooking?
Click to expand...

Only that the Swen worm is not a 'him' at all, but rather a 'them.' in
the sense that what you receive is the result of many unrelated entities
who are past the Clark point[1]. That group includes multiple infected
fools, multiple ISP's who allow the Swen mail to pass through their mail
servers, and Microsoft for making the whole thing possible with their
astoundingly misdesigned and miscoded operating systems, mail clients,
and related libraries. Your ISP might also be argued to belong on that
list if they have reason to believe that they are accepting mail (and
Swen) for customers running Windows unsafely.

It is also important to understand that this is not now and never has
been a strictly European issues: US, Canadian, and Asian mail servers
have also offered me Swen this week. For some reason recently I have
also seen more new Swen sources in Europe than elsewhere, but the US
sources are still doing most of the pounding. I should note that as of
this morning I have 206 /24 networks and another 1081 individual
addresses on my local blacklist specifically as a result of Swen
traffic.

[1] From the observation that sufficiently advanced cluelessness is
indistinguishable from malice, which seems to have been first stated by
J. Porter Clark in a Usenet post discussing MMF spam.
 
Beauregard T. Shagnasty said:
Quoth the raven Richard Kellerman:


Or every US or European or Australian or ... server as well.
Click to expand...

Not all servers. Servers managed by incompetents. There's no excuse for
emitting Swen other than carelessness/stupidity.
Didn't you see my response to your other post? As long as you post
your email address in USENET in the clear - unmunged - you will get
Swens. Swen spelled backwards is News. Newsgroups. Swen harvests
target addresses from Usenet.
Click to expand...

Yes, it does. Ironically, it scrapes addresses from
news.admin.net-abuse.email (among other groups.)
Change your address for posting to something like:
(e-mail address removed)
and if you really want email from strangers, put unmunging
instructions in your sig.
Click to expand...

And IF one chooses to do that, doing it as you advise and practice is
the right way: use a definitively, permanently, and globally invalid TLD
for the domain name. Using .invalid is best as it is the only string
that one can be really sure of. It is a very bad idea to use any domain
name that could exist someday, and particularly rude and abusive to use
a domain that does exist but you don't own.
 
Quoth the raven Bill Cole:
Not all servers. Servers managed by incompetents. There's no excuse
for emitting Swen other than carelessness/stupidity.
Click to expand...

Of course. I was referring to the "countries" rather than individual
servers, as was the OP, or so it seemed. (And I mistakenly repeated
... It is a very bad idea to use any domain name that could exist
someday, and particularly rude and abusive to use a domain that
does exist but you don't own.
Click to expand...

We see so many munges that say "spam.com" or "nospam.com". Hormel
really appreciates that.
 
How do u mung your email address using outlook express then.I got hit bad
when swen come out first.Id like to mung me email addy but no idea what to
do.Regards Mat
 
Quoth the raven Keanu Reeves:
How do u mung your email address using outlook express then.I got hit bad
when swen come out first.Id like to mung me email addy but no idea what to
do.Regards Mat
Click to expand...

Tools > Accounts > News tab
Pick your account, click Properties
On the first tab, change your email address to:
(e-mail address removed)
 
Do any news servers still process the Supersedes header?

Regards, Dave Hodgins

------- Forwarded message -------
From: "David W. Hodgins" <dhodgin1661@munge>
To: (e-mail address removed), (e-mail address removed)
Subject: Fwd: 213.47.162.254 using bot to replace usenet postings with forged messages
Date: Sun, 01 Aug 2004 08:04:46 -0400

The appended message shows one of the messages posted as a replacement to a
real message, forging the senders email address, in this case, my munged usenet
address.

Note the use of the supersedes header, to try and get news servers to try
and replace the real message.

The volume is small, so far, and I'm not aware of any news servers that still
process the Supersedes header.

Please block internet access from the ip 213.47.162.254 until the owner has
either agreed to stop abusing usenet, or removed whatever trojan is allowing
their computer to be used for such abuse.

<snip copy of message, for post to alt.comp.anti-virus>
 
In news.admin.net-abuse.email - article <bill-204010.13382531072004
@fireproof.scconsult.com>, on Sat, 31 Jul 2004 13:38:25 -0400, Bill
Cole says...
And IF one chooses to do that, doing it as you advise and practice is
the right way: use a definitively, permanently, and globally invalid TLD
for the domain name. Using .invalid is best as it is the only string
that one can be really sure of. It is a very bad idea to use any domain
name that could exist someday, and particularly rude and abusive to use
a domain that does exist but you don't own.
Click to expand...

..invalid is also recommended in this context
http://www.rfc-editor.org/rfc/rfc2606.txt

'".invalid" is intended for use in online construction of domain
names that are sure to be invalid and which it is obvious at a
glance are invalid.'

"IANA has agreed to the four top level domain name reservations
specified in this document and will reserve them for the uses
indicated." Referring to .test , .example , .invalid , .localhost
 
On that special day, David W. Hodgins, ([email protected])
said...
Do any news servers still process the Supersedes header?
Click to expand...

Yes, and to my knowledge, it is seen as something quite ok, as posters
might want to correct themselves.

In this case, the problem is, that the supersede wasn't sent by the
original authors but somebody in Austria. I contacted Chello and asked
them to investigate, but am not sure whether this will be much
effective, because all Chello is said to react quite sluggishly.


Gabriele Neukam

(e-mail address removed)
 
Back
Top