I am getting lots of phoney Microsoft security patch e-
mails and wierd non-sensical addresses. Does any body know
how to stop that stuff? Which real MS patch do I need? or
which anti-virus patch? Thanks in advance.
Snipped from a post from microsoft.public.security.public by Phil
Weldon. It's very long.
You evidently used your real e-mail address as an identity
when posting your message. The 'swen' worm is sending you those false
security messages. One way the 'swen' worm gets e-mail addresses is
by harvesting them from Usenet news servers. Stop using your
undisguised e-mail address. You will find directions for doing that
in the information below.
The 'swen' worm and its effects, particularly on
users with uninfected machines
The flood of e-mail ('swen-mail') is being generated by the 'swen'
worm.
Locally, there is not much you can do to stop the flood. Below you
will find a discussion of the effects of the 'swen' worm and ways you
can handle the flood you are getting, even though your machine may not
be infected, and may be well protected.
Only your ISP can stop the flood of 'swen' generated e-mail; by
scanning all e-mail for virus infection.
Until your ISP or e-mail service begins to scan all e-mail for virus
infection, you can use a filter and a program that allows partial
downloading of e-mail messages (Veronica Loell posts information
about these filters quite often; the information is also available at
http://nakawe.sf.net/MMM3.)
Symantec, the publisher of Norton AntiVirus, has a description of the
worm, how to remove it, and removal tools at
http://www.symantec.com/avcenter/venc/data/[email protected] . Other
publishers of antivirus programs have similar webpages. Note well,
removing this worm after your system has been infected is not a simple
task.
The 'swen' worm can harvest e-mail addresses from newsgroup postings,
so it is very important to disguise your e-mail identity when posting
to Usenet newsgroups (like microsoft.public.security.virus and tens of
thousands of other active newsgroups .)
"The worm also can search for e-mail addresses in various newsgroups.
It connects to NNTP servers listed in the SWEN1.DAT file, gets a list
of all newsgroups on that server and searches recent messages in these
newsgroups or 'nfrom:' and 'nreply-to:' tags. When such tags are
found, the worm gets e-mail addressed after them and writes them to
the GERMS0.DBV file. This way the worm can harvest a lot of e-mail
addresses to send itself to. (From F-secure,
http://www.f-secure.com/v-descs/swen.shtml )
You can find out how munge your email address at
http://www.mailmsg.com/SPAM_munging.htm .
This worm has two main effects, and some secondary effects
I. Main effects
A. It infects vulnerable systems and networks.
B. It generates a FLOOD of infected e-mail that is sent to
e-mail addresses it harvests from infected machine and networks. These
infected e-mails are of two types
1. An HTML message that looks like a legitimate Microsoft
Security Bulletin; the hotlinks in this message are valid Microsoft
links, and will even lead you to a description that will allow you to
identify this e-mail as bogus. The message has an attached 104 KByte
file that contains the worm. If you don't have all appropriate
Microsoft security patches and Service Packs installed, it may be
possible for your system to be infected
EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of this message
is always the same, though the Subject and From lines differ widely.
This message, so far, can be easily be blocked by detecting the string
'Run attached file' in the body ( in fact, it would be a good practice
to consider ANY e-mail that contains this string AND has an attachment
to very, very likely to carry an infection.
2. A plain text message that purports to be a notification
of an 'Undeliverable e-mail', with an attachment that purports to be a
copy of the undeliverable e-mail. This attached file is 104 KBytes
long and contains the worm. The Subject line, From line, and body
present in thousands of combinations, and probably will continue to
mutate. Even worse, real e-mail addresses harvested from infected
systems and networks, and from Usenet newsgroup posts are tagged onto
this type of message, causing one of the secondary effects.
II. Secondary effects
A. Spam effect
1. Mailboxes with an e-mail address that has been harvested
from infected systems, networks and Usenet newsgroup postings begin to
be flood with infected e-mail.
[Personal example: my machines are not infected, but this worm began
to flood my mailbox 17SEP03. I now receive more than 1500 infected
e-mail messages per day. I must empty my mailbox every 5 minutes,
24/7 to avoid the possibility of having legitimate e-mail bounced. I
had to install an application just to segregate the cleaned,
previously infected e-mail from legitimate e-mail (standard spam
blockers can't do this.) There are filters and programs that can
identify this 'swen-mail' and that require downloading only a portion
of an e-mail message to allow discarding or keeping it based on
whether it is 'swen-mail' or not. However, you still must arrange to
do this operation often enough to keep your mailbox from overflowing
past the general 10 MByte limit and bouncing subsequent e-mail. About
80 'swen-mail' messages take up 10 MBytes of storage. If you get 500
'swen-mail messages per day, thatmeans checking and clearing your
mailbox at least every four hours, 24/7, to insure that no valid
e-mail messages are bounced.
B. Notifications from mail services that DO scan for infected
messages, but unfortunately do not realize that the e-mail addresses
given for the sender are either bogus or e-mail addresses harvested by
the worm.
Thus, completely innocent mailboxes have insult added to injury.
****
What can you do locally as an individual (i.e. in a
SmallOfficeHomeOffice
environment, and /or as a recreational user)?
#1. You can use a remote virus scan from one of the antivirus program
publishers
THEN
#2. You can remove any infections discovered
THEN
#3. You install a good antivirus program, keep it active, keep the
virus definitions up-to-date (at the moment you should update these
definitions EVERY day), and set to scan all incoming e-mails and
downloads.
THEN
#4. You can install all appropriate Microsoft security patches and
Service Packs.
THEN
#5. You can consider additional security (DCHP server, firewall,
boric acid [for roaches], .....
If you begin to be flooded with these infected messages, COMPLAIN to
your ISP; send them this URL
http://xtra.co.nz/products/0,,8969,00.html of an ISP that scans
incoming e-mail before passing it to a mailbox. Ask for an increased
mailbox size (if you are getting 1500 of these infected e-mails per
day, you will need a mailbox size over 150 MBytes just to avoid the
necessity of completely emptying it EVERY DAY. Ask about the implicit
duty of the ISP to provide reliable e-mail service, and if they have
received notification of any pending class actions you might join.
Ask if they will unbundle their services so you can opt out of e-mail
service and save that cost. That's about
all you can do about the e-mail flood; only your ISP or other e-mail
provider can come close to solving this problem.
When the e-mail flood becomes too painful, find an ISP or other e-mail
provider that DOES scan and discard infected e-mail before passing it
to your mailbox, and then change to that ISP and/or e-mail provider.
Changing your e-mail address is no solution; as soon as your new
e-mail address is harvested from an infected system or network, the
problem starts again.
In the meantime you can use a filter and a program that allows partial
downloading of e-mail messages (Veronica Loell posts information
about
these filters quite often; the information is also available at
http://nakawe.sf.net/MMM3 .)
When a mailserver is scanning and not just deleting infected e-mail,
but is
also sending an e-mail to notify the sender, write the administrator a
nasty
note asking them to stop sending these notices.
****
That's about it; you can proof your system against infection, but only
changes at the mailserver level can stop reception of a flood of
infected
e-mails and increasing numbers of inappropriate notices that you've
sent
infected e-mail from arriving in your mailbox.
hth
jbrown
brownbearat@canadadotcom
remove the at and the dot and the mail will come
o did i say put in a .
