w32.swen

  • Thread starter Thread starter Ron Bird
  • Start date Start date
R

Ron Bird

I am being bombarded by replies to emails i never sent.NAV 2004 is finding
them and stopping them, but how the f*&k do i stop them coming into my inbox
it's driving me nuts!. If i leave it for a couple of days there are loads.
Please help.

TIA
 
First, never post to Usenet with an addy that is important too you. Use a
throwaway addy . Hotmail can be configured to immediately delete "JUNK"
mail. otherwise the box will always be full. Hotmail does determine SWEN to
be junk, but they deliver anyway. (dumb, huh?) SWEN is NEWS spelled
backward, and that is where the virus gets the addys. You have my sympathy,
I have two boxes that are still being hit. I no longer see them, but they
still pass through.
http://home.comcast.net/~thuxton/mailbox.htm
There are so many variations in the messages that writing a filter to catch
them all is almost impossible. You can delete attachments, or by size, but
SWEN lies a lot (0kb size, etc), plus from lines are bogus. Be careful.

Pepperoni
 
On that special day, Ron Bird, ([email protected]) said...

I am being bombarded by replies to emails i never sent.
Click to expand...

Are these "replies" bounces ("Sorry, the message could not be
delivered")? Are they genuine or fake (Swen sends out faked "bounces,
which in fact aren't but meant to transport the worm onto your machine)?
NAV 2004 is finding
them and stopping them,
Click to expand...

Is it also telling the name of the worm? Is it only one kind, or are
there several of them?
but how the f*&k do i stop them coming into my inbox
it's driving me nuts!.
Click to expand...

Find the ISP of the sender, and inform the abuse team of the ISP.

Don't trust in the "sender" address, the entry in the "From" field is
faked 99.9% of the time. Worms started faking senders two yerars ago,
and all worms do it by now.

If you are using Outlook Express (as the header of your message
implies), use the Ctrl-F3 combination to display the header information.
Therein you should find a fourpartite number with dots in between, and
in (preferably square) brackets. This IP number is the only piece of
information that is too difficult to fake in a mail connection dialog.

Insert this very number in

http://www.fr2.cyberabuse.org/whois/?page=whois_server

and read the results. There should be an abuse address given. Forward
the worm mail, *without* attachment, to the ISP abuse service
identified, and tell them to contact their customer and stop the worm
sending.

In the case of Swen and MyDoom, an address with "spam" inside (it may be
valid), will help. Mine is keeping these worms away.


Gabriele Neukam

(e-mail address removed)
 
Back
Top