Professional Web Applications Themes

SWEN virus. - Linux Setup, Configuration & Administration

"Shashank Khanvilkar" <ece.uic.edu> wrote in news:boon2m$7oo$cc.uic.edu:   Use a mail client that only downloads the headers, then allows you to delete the mail from the server without downloading the body and attachments, if any. I doubt you will be able to stop the mail from being sent to your email server but you can stop it from being sent from your server to you. And like the other response said, get your mail provider to use a virus filter acceptable to you....

  1. #1

    Default Re: SWEN virus.

    "Shashank Khanvilkar" <ece.uic.edu> wrote in
    news:boon2m$7oo$cc.uic.edu:
     

    Use a mail client that only downloads the headers, then allows you to
    delete the mail from the server without downloading the body and
    attachments, if any.

    I doubt you will be able to stop the mail from being sent to your email
    server but you can stop it from being sent from your server to you.

    And like the other response said, get your mail provider to use a virus
    filter acceptable to you.


    Mark Guest

  2. #2

    Default SWEN virus.

    Hi,

    I am receiving these annoying mails containing swen virus. My PC is not
    infected with it, and I don't even know where it is coming from.. I could
    setup filters but i was more concerned about the BW that it eats up, when i
    download my mails from the server on a dial-up connection.

    Is there any way in which i can configure my SMTP server to stop receiving
    mails that contain this virus.
    How do i attack this problem.??



    --
    Regards
    Shashank
    http://mia.ece.uic.edu/~papers


    Shashank Guest

  3. #3

    Default Re: SWEN virus.

    "Shashank Khanvilkar" <ece.uic.edu> wrote in
    news:boon2m$7oo$cc.uic.edu:
     
    Do you have administrative access to the server? If not, contact your ISP,
    and give them hell for not using anti-virus software on their server. (And
    if they decide to install such, threaten them with cattle prods if they
    configure it to send a notice to _anyone_ about detecting a virus. Sending
    a notice to the "sender" is a form of abuse, becaus the only sender they
    can identify at that point is forged.)

    If you do, install anti-virus software.

    --
    Terry Austin
    com
    www.hyperbooks.com
    Roleplaying Stuff
    No Guest

  4. #4

    Default Re: SWEN virus.

    > > 

    I have administrative access to one of my servers... but the other is
    controlled by someone esle.. and unfortunataly i am receiving such mails on
    both mail accounts.
     

    I already have spam-assasin, which is not doing a very good job..
    But that is not of concern, as i may have misconfigured it.

    My real concern is how can one remedy this problem at the root.. Even if i
    install anti-virus software, my server is still receiving those bloody
    emails, wasting a lot of BW. Isn't there any current mechanism built into
    SMTP, which will automatically stop relaying messages from the culprit,
    right at the first hop, and if not what can be done about it.

    All Comments appreciated.




    Shashank Guest

  5. #5

    Default Re: SWEN virus.

    Shashank Khanvilkar wrote:
     
    >> Do you have administrative access to the server? If not, contact your
    >> ISP,[/ref]
    >
    > I have administrative access to one of my servers... but the other is
    > controlled by someone esle.. and unfortunataly i am receiving such mails
    > on both mail accounts.

    >
    > I already have spam-assasin, which is not doing a very good job..
    > But that is not of concern, as i may have misconfigured it.
    >[/ref]

    Probably
     

    Nope. Not possible with current SMTP
     

    Well, the easiest remedy would be to permanently ban all MS software from
    internet access.
    --
    Microsoft's Guide To System Design:
    Let it get in YOUR way. The problem for your problem.

    Peter Guest

  6. #6

    Default Re: SWEN virus.

    "Shashank Khanvilkar" <ece.uic.edu> wrote in
    news:boophr$7rn$cc.uic.edu:
     
    >> Do you have administrative access to the server? If not, contact your
    >> ISP,[/ref]
    >
    > I have administrative access to one of my servers... but the other is
    > controlled by someone esle.. and unfortunataly i am receiving such
    > mails on both mail accounts.

    >
    > I already have spam-assasin, which is not doing a very good job..
    > But that is not of concern, as i may have misconfigured it.
    >
    > My real concern is how can one remedy this problem at the root.. Even
    > if i install anti-virus software, my server is still receiving those
    > bloody emails, wasting a lot of BW. Isn't there any current mechanism
    > built into SMTP, which will automatically stop relaying messages from
    > the culprit, right at the first hop, and if not what can be done about
    > it.[/ref]

    You can only control what is under your control. The way that SMTP works,
    there is no way to receive enough of the message to identify is as a virus
    without receiving the entire message. A mail server with properly
    configured AV software will then delete it silently. That is,
    unfortunately, the best you can really hope for, unless you can find a
    broken mail server. And, unfortunately, the vast majority of Swen viruses
    are sent through the sender's ISPs mail server, rather than direct, so you
    can't afford to just block the sender (which would prevent _any_ connection
    at all, if done properly), or you'll be blocking a lot of legitimate email
    from large ISPs. 
    The best I've managed is to delete them silently as soon as they are
    received. It seems that all Windows executables start with
    TVqQAAMAAAAEAAAA//, so if you're will to simply refuse all executables (and
    you should, since legitimate email with executable attachments can be re-
    sent zipped), you can just kill on that string.

    --
    Terry Austin
    com
    www.hyperbooks.com
    Roleplaying Stuff
    No Guest

  7. #7

    Default Re: SWEN virus.


    "Shashank Khanvilkar" <ece.uic.edu> wrote in message
    news:boophr$7rn$cc.uic.edu... [/ref][/ref]
     

    STOP posting with a valid email address!!!! Munge your address
    (like mine) and they will stop, eventually.

    I was getting 40-50 of these emails when I munged my email
    3 weeks ago, now I'm getting 8-9 per week and that rate is
    dropping fast.

    You see, Swen infected computers look in the newsserver for
    posts with a valid email address, those that it finds get pounded.

    Munge your email, then, as the posts you made with a valid email
    expire, your swen emails will naturally drop off.....

    Ken


    Ken Guest

  8. #8

    Default Re: SWEN virus.

    Ken Bessler wrote: 
    >
    >
    > STOP posting with a valid email address!!!! Munge your address (like
    > mine) and they will stop, eventually.
    >
    > I was getting 40-50 of these emails when I munged my email 3 weeks
    > ago, now I'm getting 8-9 per week and that rate is dropping fast.
    >
    > You see, Swen infected computers look in the newsserver for posts
    > with a valid email address, those that it finds get pounded.
    >
    > Munge your email, then, as the posts you made with a valid email
    > expire, your swen emails will naturally drop off.....
    >[/ref]
    That is not the whole story. It is pretty clear that spammers harvest
    other victims' e-mail boxes and send stuff to everyone in them. So
    unless you have no one in the world with you in their address books, or
    at least no Microsoft users, you are doomed.

    And even were you so lucky, I observe from the Cc: headers that some of
    these s have 1,000,000 monkeys on the payroll typing out all
    possible e-mail addresses on every e-mail server they can find. And it
    is not too hard to find out the mail servers by rummaging around in the DNS.


    --
    .~. Jean-David Beyer Registered Linux User 85642.
    /V\ Registered Machine 73926.
    /( )\ Shrewsbury, New Jersey http://counter.li.org
    ^^-^^ 3:50pm up 16 days, 14:26, 3 users, load average: 2.22, 2.16, 2.16

    Jean-David Guest

  9. #9

    Default Re: SWEN virus.

    On Mon, 10 Nov 2003 12:52:40 -0600, Shashank Khanvilkar wrote:

    I use mailfilter. My .mailfilterrc is at dotfiles.com. I never recieve
    SWEN. You may want to edit it.
    --
    rAr.cMom - > (remove capital letters: SPAM)


    Naota Guest

  10. #10

    Default Re: SWEN virus.


    "Shashank Khanvilkar" <ece.uic.edu> wrote in message news:boon2m$7oo$cc.uic.edu... 

    *** I was getting about a hundred a day until I limited the size to 20k, above
    this - delete from sever. Most of all the MS ones were 150k and I think they
    still are. Though I still get 50 - 100 normal spam cr*p
    John.




    John Guest

  11. #11

    Default Re: SWEN virus.

    In comp.os.linux.setup Shashank Khanvilkar <ece.uic.edu> wrote: [/ref]
     

    It's doing a superb job here. I get several hundred spams a day (err,
    806 since yesterday), and only one or two slip past SA.
     

    Only you know. But you'd have to CONFIGURE it to stop swen. Just kill
    anything with MS|Microsoft E?mail in the From line. Or you can kill
    on subject:

    Subject.* (MS net|(bug|Failure|Error) (notice|letter|announcement|Report|Message))

    or

    Subject.* (Critical|Security|Network|Net|Internet|Latest|Cur rent) (Patch|Pack|Update|Upgrade)

     

    There is no root.
     

    Uh - you can't stop his sender from sending!
     

    Complain to But spamassassin includes reportung
    mechanisms. Use them! A simple | spamassassin -r on yoru spambox
    will report all your spam back to razor, and then you benefit.

    Not to mench that SA learns just fine if you feed it some examples.
     

    Read The Fine Manual, and give us a break.


    Peter
    P.T. Guest

  12. Moderated Post

    Default Re: SWEN virus.

    Removed by Administrator
    General Guest
    Moderated Post

  13. #13

    Default Re: SWEN virus.

    "Shashank Khanvilkar" <ece.uic.edu> writes: [/ref]
     
     
     
     

    Procmail can be VERY effective at deleting Swen when it reaches your
    servers. A single line is sufficient to dump all the Swen, well, at
    least all the Swen that hasn't been castrated by removing the binary
    of the virus itself. And it is FAR more effective at this than
    Spam-assassin, which can build up vast databases trying to cope with
    large quantities of this binary mail.

    As for stopping it before it reaches your server, log the domains
    that are delivering the bulk of the Swen to your server. I would
    suggest that dropping about a dozen or two ip address ranges, that
    you are never going to receive a legitimate email from in your life,
    into a block list would eliminate 3/4 of all the Swen virus.

    Here are my top candidate domains for adding to block lists.

    fg.online.no 152
    ocn.ne.jp 154
    bigpond.com 176
    so-net.ne.jp 193
    libertysurf.net 195
    telus.net 209
    wanadoo.fr 247
    singnet.com.sg 263
    inet.fi 315
    btinternet.com 353
    dion.ne.jp 358
    dublin.eircom.net 372
    tiscali.it 485
    tin.it 549
    hetnet.nl 555

    A total of 10832 Swen received from 1032 domains in the last 4 weeks.

    Ocn.ne.jp occasionally says they are doing something but their Swen
    count keeps climing as fast as ever. Telus.net, the same. All appear
    to be working very hard to really do nothing to stop spewing Swen.

    And, btinternet's count is actually hundreds higher, they spewed 99
    from blueyonder plus other domains.

    But, 80% of the domains that have spewed Swen at me quickly put a stop
    to this after getting a complaint about this and rarely did one of them
    ever send another one.

    So, see if you have legitimate customers from any of your top two dozen
    spew hosts, and if it won't kill you then just kill them with a block
    list. It will make life easier. If you want to bounce their binary
    back at their abuse address for the domain, maybe even better. A few
    days of ing ten million Swen back at each of these might make them
    put the rest of the world in their block lists and we could all get
    on with the net. But they won't do anything about it.

    --

    More than 20 years ago when I first got involved with the net
    everyone on the net was either a white collar professional,
    who would never think of doing anything to risk their reputation,
    or was a student and knew what we would do to them if they did.

    I apologize for most of what the net has become. I'm sorry.
    I'm very very sorry. It was never meant to turn out this way.
    Don Guest

  14. #14

    Default Re: SWEN virus.

    jus like to add that it is not only you recieving these viruses, i am also
    being bombarded by the swen virus....it a pain in the .....i wasnt going
    to say anything....just hope that it dies out.........


    Myles Guest

  15. #15

    Default Re: SWEN virus.

    In <comp.os.linux.networking> Shashank Khanvilkar <ece.uic.edu> wrote: 

    If you're downloading from remote POP3 account, then you can write a
    script to fetch only top 50 lines of an email. You can then have the
    server to delete it. Or, write ~/.procmailrc on that server. I use

    :0
    * boundary=\"[a-z]+\"
    spam

    :0HB
    * ^Content-Type: (text/html|audio/x-(wav|midi)|application/x-(msdownload|zip-compressed))
    spam
     

    No, you are downloading from POP3 server. Even if you refuse to accept
    the emails, you will still download the entire email from the remote
    server.

    --
    William Park, Open Geometry Consulting, <ca>
    Linux solution for data management and processing.
    William Guest

  16. #16

    Default Re: SWEN virus.

    Shashank Khanvilkar wrote: 
    comp.mail.sendmail - it will take you a couple of weeks and some pain to
    learn what "you" need to do. I say "you" because your setup is not my setup.

    I REJECT (in access) mail from af, al, as, ad, ao, ai, ..... zw
    along with about 30 IP's and any email over 140000 bytes in size.

    And I contact the xyz the mail is passed thru.

    Rots'a Ruck

    Cal Guest

  17. #17

    Default Re: SWEN virus.

    "Shashank Khanvilkar" <ece.uic.edu> wrote in message
    news:boon2m$7oo$cc.uic.edu
     

    It's coming from posting your email address in Usenet; see it above.

    Ever notice that Swen is News spelled backwards? Your address is being
    harvested by the virus from the newsgroup postings you've made.


    tony

    --
    use hotmail com for any email replies



    -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
    http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
    -----== Over 100,000 Newsgroups - 19 Different Servers! =-----
    ynotssor Guest

  18. #18

    Default Re: SWEN virus.

    On Mon, 10 Nov 2003 13:34:50 -0600, Shashank Khanvilkar wrote:
     
    >
    > I have administrative access to one of my servers... but the other is
    > controlled by someone esle.. and unfortunataly i am receiving such mails
    > on both mail accounts.

    >
    > I already have spam-assasin, which is not doing a very good job.. But that
    > is not of concern, as i may have misconfigured it.
    >
    > My real concern is how can one remedy this problem at the root.. Even if i
    > install anti-virus software, my server is still receiving those bloody
    > emails, wasting a lot of BW. Isn't there any current mechanism built into
    > SMTP, which will automatically stop relaying messages from the culprit,
    > right at the first hop, and if not what can be done about it.
    >
    > All Comments appreciated.[/ref]


    Shash,

    I don't know if you have Procmail running.. but I've found the following
    rules I cobbled together to be working _very_ effectively (news client may
    wrap some lines):


    ###
    # Swen detection
    :0h
    * To:.*\(yourdomain|yourserver|mxserver|mxdomain|ma ilserver)\..*
    /dev/null

    :0B
    * this is the latest version of security update
    * support.microsoft.com
    /dev/null

    :0hfw:
    * ^Content-Type:.*boundary=\"[^-].*?\".*
    | formail -I"Subject: [W32/Swen(1) Detected!]"

    :0B
    * .*Content-Type:.*audio\/.*name=.*\.(exe|com|scr|pif|bat).*
    /dev/null
    #
    ###


    The boundary string match is tagged as this could match legit mails.. but
    so far, I've had none come through on this match.

    I deliberately "collected" them overnight a couple of weeks ago and the
    count was somewhere in the region of 75.. now.. I haven't had one come
    through since the above rules were implemented.

    Hope this is of some use =)



    Regards,

    Ian

    --
    Ian.H [Design & Development]
    digiServ Network - Web solutions
    www.digiserv.net | irc.digiserv.net | forum.digiserv.net
    Programming, Web design, development & hosting.

    Ian.H Guest

  19. #19

    Default Re: SWEN virus.

    On Mon, 10 Nov 2003 12:52:40 -0600, Shashank Khanvilkar
    <ece.uic.edu> wrote: 

    I use mailfilter which you can configure for specific words in the To:,
    From:, and Subject: lines. It contacts the server and deletes the emails on
    the server periodically (with crontab), so that they are never actually
    brought in from the server to my dial-up connected computer.

    I have it set up both manually and with a crontab where that is performed
    first and then the mail is fetched (I use getpop3).

    ....Edwin

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~ Edwin Johnson ....... net ~
    ~ http://www.shreve.net/~elj ~
    ~ ~
    ~ "Once you have flown, you will walk the ~
    ~ earth with your eyes turned skyward, ~
    ~ for there you have been, there you long ~
    ~ to return." -- da Vinci ~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Edwin Guest

  20. #20

    Default Re: SWEN virus.

    > I have administrative access to one of my servers... but the other is 

    There really isn't a way to solve this problem at its source. Worms are
    grabbing email addresses off USENET, private address books, etc. Even my
    most trustworthy contacts have allowed my addresses to be harvested by
    spammers, since they haven't been careful about their desktop security.

    The only long term solution appears to be the use of time-limited email
    addresses.

    Another way to block email from infected machines is to use DNSBL (DNS-
    based blocklists) at your mail server. I find that 'psbl.surriel.com' is
    great at blocking infected hosts. Others that are blocking a substantial
    amount of virus/spam are 'blackholes.easynet.nl' and 'list.dsbl.org'

    Those DNSBL's will prevent the mail from even being accepted by your mail
    server. You (or your ISP) should also add processing after the mail enters
    your server. Software as simple as renattach can block your worms by
    filtering or dropping messages based on attachment filename

    http://www.pc-tools.net/unix/renattach/

    (1.2.0rc2 will be released today)

    --
    Jem Berkes
    http://www.sysdesign.ca/
    Jem Guest

Page 1 of 2 12 LastLast

Similar Threads

  1. Virus alert (no, this is not a virus)
    By Aaron Bertrand - MVP in forum ASP Components
    Replies: 1
    Last Post: January 27th, 09:21 PM
  2. Replies: 1
    Last Post: October 3rd, 02:05 AM
  3. SWEN Worm Propagation Anomaly?
    By D.F. Manno in forum Mac Networking
    Replies: 14
    Last Post: October 2nd, 05:00 AM
  4. Killing "swen" on fastmail.fm
    By Daniel E. Sabath in forum Mac Networking
    Replies: 0
    Last Post: September 23rd, 11:15 PM
  5. Swen Virus
    By Mark in forum Photography
    Replies: 11
    Last Post: September 21st, 09:34 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139