Professional Web Applications Themes

SWEN Worm Propagation Anomaly? - Mac Networking

In article <0001HW.BB97548C000E4D8F09A98AA0text.giganews.com >, Steve <nospamnospam.com> wrote: > CERT, Symantec and others report that this worm is propagating by mailing > itself to everyone in the victim's address book. I, and many other > individuals with multiple email addresses, have observed that only those > addresses which were used to post to the usenet have been attacked. In > addition, the same addresses are attacked over and over. If the source of the > attacks were the vicitims' address books one would expect that the addresses > not used on usenet would also be under attack. > > What this ...

  1. #1

    Default Re: SWEN Worm Propagation Anomaly?

    In article <0001HW.BB97548C000E4D8F09A98AA0text.giganews.com >,
    Steve <nospamnospam.com> wrote:
    > CERT, Symantec and others report that this worm is propagating by mailing
    > itself to everyone in the victim's address book. I, and many other
    > individuals with multiple email addresses, have observed that only those
    > addresses which were used to post to the usenet have been attacked. In
    > addition, the same addresses are attacked over and over. If the source of the
    > attacks were the vicitims' address books one would expect that the addresses
    > not used on usenet would also be under attack.
    >
    > What this suggests to me is that the source of the lion's share of the
    > current SWEN mailings is not other victims' address books but rather
    > continued mailings to the same mailing list harvested from usenet. If that is
    > the case, the number of sources should be able to be narrowed down
    > considerably.
    >
    > It also suggests that ISPs are only going to be receiving complaints from the
    > handfull of their customers who use usenet and are therefore likely to view
    > it as a localized problem.
    >
    > Comments?
    Your premise is faulty. I have received the worm at an address that has
    never been used to post to Usenet.
    --
    D.F. Manno
    [email]dommannonetscape.net[/email]

    Nobody Died When Clinton Lied
    D.F. Manno Guest

  2. #2

    Default Re: SWEN Worm Propagation Anomaly?

    On Thu, 25 Sep 2003 4:02:52 +1000, Steve wrote
    (in message <0001HW.BB97548C000E4D8F09A98AA0text.giganews.com >):
    > CERT, Symantec and others report that this worm is propagating
    > by mailing itself to everyone in the victim's address book. I,
    i.e. the people who have looked at Swen 'under a microscope' to see
    how it propagates.
    > and many other individuals with multiple email addresses, have
    > observed that only those addresses which were used to post to
    > the usenet have been attacked. In addition, the same addresses
    > are attacked over and over. If the source of the attacks were
    > the vicitims' address books one would expect that the addresses
    > not used on usenet would also be under attack.
    But, if it were using usenet addresses, those of us with _many_
    usenet email addresses would be seeing Swen addressed to many
    addresses. I'm not. I've received a total of 5 copies of Swen, to 2
    addresses.

    I have used (over the years) about 10 different email addresses in
    usenet that still resolve, and still receive spam. I use
    _different_ email addresses for private correspondence, different
    ones again for email lists (specific to each list).

    I am only receiving Swen to addresses I've used on usenet, but only
    to 2 of those addresses. One of them, because I didn't intend it to
    be publicly released, may also be used in personal address books.

    I don't expect to receive Swen at 'personal' addresses for a couple
    of reasons:
    1) most people who email me privately are on Macs.
    2) those who aren't tend not to use MS products for mail
    3) most people don't copy addresses from email lists to their
    addressbooks

    Looks to me as though one or two people who have read/replied to me
    using usenet have (for whatever reason) copied the address to their
    addressbook.
    > What this suggests to me is that the source of the lion's share
    > of the current SWEN mailings is not other victims' address books
    > but rather continued mailings to the same mailing list harvested
    > from usenet. If that is the case, the number of sources should
    > be able to be narrowed down considerably.
    one of the addresses that has received swen has only been used in
    one group (rec.games.roguelike.nethack). The other has been used in
    1 cross-posted thread (4 articles, xposted to 5 groups:
    alt.atheism, alt.bible, alt.christnet.philosophy,
    alt.christnet.theology, alt.religion.christian). The ones that
    aren't receiving it have been used in both, and other, places
    _much_ more.

    > It also suggests that ISPs are only going to be receiving
    > complaints from the handfull of their customers who use usenet
    > and are therefore likely to view it as a localized problem.
    >
    > Comments?
    I'll go with the opinion of CERT...

    Have Fun
    Martin

    Martin Crisp Guest

  3. #3

    Default Re: SWEN Worm Propagation Anomaly?

    In article <0001HW.BB978D5D0016130709E1BAA0text.giganews.com >,
    Steve <nospamnospam.com> wrote:
    > Secondly, this worm has been around for some time. If it were being driven
    > primarily by address books, it is hard to explain the order of magnitude
    > spike two weeks ago. I think that is more characteristic of a spam type
    > mailing list.
    Your second point coupled with my experience suggests to me it is not
    just driven by Usenet postings. I've been a regular poster to a couple
    of newsgroups for years and have never bothered to mangle my email
    address until just yesterday. My trouble with the worm did not start
    until this past Friday. If simply posting with a clear email address
    were sufficient to become a target, then I should have become a target a
    couple of weeks ago rather than just last Friday.

    However, on the chance you are correct you will notice my email address
    for this posting is mangled. And, I won't be exposing any other email
    address I have to the Usenet.
    Bill Rowe Guest

  4. #4

    Default Re: SWEN Worm Propagation Anomaly?

    In article <dommanno-BCE585.17211924092003corp-radius.supernews.com>,
    D.F. Manno <dommannonetscape.net> wrote:
    > In article <0001HW.BB97548C000E4D8F09A98AA0text.giganews.com >,
    > Steve <nospamnospam.com> wrote:
    >
    > > CERT, Symantec and others report that this worm is propagating by mailing
    > > itself to everyone in the victim's address book. I, and many other
    > > individuals with multiple email addresses, have observed that only those
    > > addresses which were used to post to the usenet have been attacked. In
    > > addition, the same addresses are attacked over and over. If the source of
    > > the
    > > attacks were the vicitims' address books one would expect that the
    > > addresses
    > > not used on usenet would also be under attack.
    > >
    > > What this suggests to me is that the source of the lion's share of the
    > > current SWEN mailings is not other victims' address books but rather
    > > continued mailings to the same mailing list harvested from usenet. If that
    > > is
    > > the case, the number of sources should be able to be narrowed down
    > > considerably.
    > >
    > > It also suggests that ISPs are only going to be receiving complaints from
    > > the
    > > handfull of their customers who use usenet and are therefore likely to view
    > > it as a localized problem.
    > >
    > > Comments?
    >
    > Your premise is faulty. I have received the worm at an address that has
    > never been used to post to Usenet.
    Nevertheless, swen does harvest addresses from Usenet, hence its name.
    The 1300 copies I received were received through an e-mail address that
    has never been used for anything BUT posting to Usenet, and when I
    switched my posting address, I began receiving copies at that address
    within minutes. I have received no copies at all on any of my other
    e-mail addresses, some of which have been widely publicized but are not
    used on Usenet.

    --
    Jerry Kindall, Seattle, WA <http://www.jerrykindall.com/>

    When replying by e-mail, use plain text ONLY to make sure I read it.
    Due to spam and viruses, I filter all mail with HTML or attachments.
    Jerry Kindall Guest

  5. #5

    Default Re: SWEN Worm Propagation Anomaly?

    In article
    <readnewsNOSPAM-C2D846.20285324092003news06.west.earthlink.net>, Bill
    Rowe <readnewsNOSPAMearthlink.net.invalid> wrote:
    > In article <0001HW.BB978D5D0016130709E1BAA0text.giganews.com >,
    > Steve <nospamnospam.com> wrote:
    >
    > > Secondly, this worm has been around for some time. If it were being driven
    > > primarily by address books, it is hard to explain the order of magnitude
    > > spike two weeks ago. I think that is more characteristic of a spam type
    > > mailing list.
    >
    > Your second point coupled with my experience suggests to me it is not
    > just driven by Usenet postings. I've been a regular poster to a couple
    > of newsgroups for years and have never bothered to mangle my email
    > address until just yesterday. My trouble with the worm did not start
    > until this past Friday. If simply posting with a clear email address
    > were sufficient to become a target, then I should have become a target a
    > couple of weeks ago rather than just last Friday.
    Well, no. The worm wasn't active until late last week. I got copies
    beginning Thursday.

    --
    Jerry Kindall, Seattle, WA <http://www.jerrykindall.com/>

    When replying by e-mail, use plain text ONLY to make sure I read it.
    Due to spam and viruses, I filter all mail with HTML or attachments.
    Jerry Kindall Guest

  6. #6

    Default Re: SWEN Worm Propagation Anomaly?

    Steve <nospamnospam.com> wrote:
    > What this suggests to me is that the source of the lion's share of the
    > current SWEN mailings is not other victims' address books but rather
    > continued mailings to the same mailing list harvested from usenet.

    I agree, that the worm apparently does not neccessarily just search
    through adress books - I think it DOES at the same time probably also
    scan through usenet postings - which are usually stored on peoples
    harddisks as well.

    The headers of the incoming mails all contain a "return path" which seem
    to point to "real people" - unlike the "from" address.

    So I would think, that this "spam" does not come from a few centralized
    spam-mailers, but just about every computer where the worm is executed
    and email-adresses can be found - in adress books or usenet posungs
    alike...

    Torge.
    Torge Anders Guest

  7. #7

    Default Re: SWEN Worm Propagation Anomaly?

    Steve <nospamnospam.com> wrote:
    > That's a good point. I thought about that, especially since Outlook can be
    > used for newsreading as well as mail. That particular method wasn't mentioned
    > in the CERN advisory and I don't have enough familiarity with Wintel code to
    > disassemble the exe and figure it out myself.
    At the Symantec-Site
    ([url]http://www.symantec.com/avcenter/venc/data/w32.swen.amm.html[/url]) was a
    pretty good explanation of the worm - including a list of all the types
    of data it searches for emails.
    > On the other hand, I am getting the worm at email addresses I haven't used
    > for over a year, so it's unlikely that it would be in anyone's usenet article
    > cache.
    I bet, people have things on their computers, you would never even dream
    of - harddisk space of over 100 gigs - you could probably store usenet
    postings back to the year 0 - without problems...
    > Whatever it is, I wish someone could figure out an effective way to stop it
    I have a feeling, it's been going back since maybe yesterday...

    Torge.
    Torge Anders Guest

  8. #8

    Default Re: SWEN Worm Propagation Anomaly?

    In article <240920032329121763%jerrykindallnospam.invalid> , Jerry
    Kindall <jerrykindallnospam.invalid> wrote:
    > Well, no. The worm wasn't active until late last week. I got copies
    > beginning Thursday.
    Same here. And so far only to the e-mail address I use on Usenet,
    in multi-megabyte quantities daily.

    Regards,

    - Lou Forlini
    Software Engineer
    System Support Products, Inc.
    Lou Forlini Guest

  9. #9

    Default Re: SWEN Worm Propagation Anomaly?



    In article <0001HW.BB9829AF0003E05109A8F0A0text.giganews.com >, Steve
    <nospamnospam.com> wrote:
    > On Thu, 25 Sep 2003 2:57:27 -0400, Torge Anders wrote
    > (in message <1g1u356.1erb6f615sjwjkN%torgeandersNOSPAMgmx.de> ):
    >
    > > Steve <nospamnospam.com> wrote:
    > >
    > >> What this suggests to me is that the source of the lion's share of the
    > >> current SWEN mailings is not other victims' address books but rather
    > >> continued mailings to the same mailing list harvested from usenet.
    > >
    > >
    > > I agree, that the worm apparently does not neccessarily just search
    > > through adress books - I think it DOES at the same time probably also
    > > scan through usenet postings - which are usually stored on peoples
    > > harddisks as well.
    > >
    > > The headers of the incoming mails all contain a "return path" which seem
    > > to point to "real people" - unlike the "from" address.
    > >
    > > So I would think, that this "spam" does not come from a few centralized
    > > spam-mailers, but just about every computer where the worm is executed
    > > and email-adresses can be found - in adress books or usenet posungs
    > > alike...
    > >
    > > Torge.
    >
    > That's a good point. I thought about that, especially since Outlook can be
    > used for newsreading as well as mail. That particular method wasn't mentioned
    > in the CERN advisory and I don't have enough familiarity with Wintel code to
    > disassemble the exe and figure it out myself.
    >
    > On the other hand, I am getting the worm at email addresses I haven't used
    > for over a year, so it's unlikely that it would be in anyone's usenet article
    > cache.
    >
    > Whatever it is, I wish someone could figure out an effective way to stop it
    > :-)
    >
    > Steve
    I did read some posts on another group (a virus group) that suggested
    setting a filter to trash any email that was not specifically addressed
    to you. I haven't tried it yet (I just read it). Dunno....
    D Warcken Guest

  10. #10

    Default Re: SWEN Worm Propagation Anomaly?

    In article <260920032126329334%warckennetpipe.com>,
    D Warcken <warckennetpipe.com> wrote:
    > I did read some posts on another group (a virus group) that suggested
    > setting a filter to trash any email that was not specifically addressed
    > to you. I haven't tried it yet (I just read it). Dunno....
    This only works if you're not on any mailing lists. Most mailing lists
    are not specifically addressed to you.

    --
    Address in header is dead, please use:

    netuse2 <at> jkonton <dot> best <dot> vwh <dot> net

    Please excuse the munging, but after receiving thousands of emails
    with the swen virus due to usenet email harvesting...
    Blackjack Joe Guest

  11. #11

    Default Re: SWEN Worm Propagation Anomaly?

    Lou Forlini <salessspi-software.com> wrote:
    > In article <240920032329121763%jerrykindallnospam.invalid> , Jerry
    > Kindall <jerrykindallnospam.invalid> wrote:
    >
    > > Well, no. The worm wasn't active until late last week. I got copies
    > > beginning Thursday.
    >
    > Same here. And so far only to the e-mail address I use on Usenet,
    > in multi-megabyte quantities daily.
    >
    Me too, it quickly fills up my Yahoo account to the 6MB limit and I
    can't receive normal email. I see a definite connection to usenet, I
    posted with my yahoo address to two cancer groups for the first time a
    week ago and within days the mail-bombing started.
    Yahoo of course doesn't care. In fact they are hoping I'll expand my
    mailbox size for a fee..

    --
    madiba
    madiba Guest

  12. #12

    Default return-path from original sender? [was: SWEN Worm Propagation Anomaly?]

    Steve <nospamnospam.com> wrote:
    > Whatever it is, I wish someone could figure out an effective way to stop it
    One thing I tried, was sending back mails to the adresses in the
    "return-path" section in the header of the spam mails. I wrote about
    their possible "swen" infection and a link to the symantec swen site,
    which tells you, how to get rid of the worm. I beleive about 60% of
    these mails are comeing back - mostly because of "error 5.2.2" which
    reads "mailbox full".

    Do you have any idea, if these "return-path" entries inside the header
    information contain the REAL sender-adress? Or can even this be changed
    by the worm?

    Torge.
    Torge Anders Guest

  13. #13

    Default Re: return-path from original sender? [was: SWEN Worm Propagation Anomaly?]

    On Mon, 29 Sep 2003 11:54:10 +0100, Steve wrote
    (in message <0001HW.BB9D879200335C0E0940F800text.giganews.com >):
    > I think the lesson is that if you post to usenet with an open email address
    > you _will_ be attacked and once attacked your only defense is filtering or
    > giving up the address.
    A reakl newbie question: werte can I find out how to do emails withhout using
    what you;pve termed an 'open' address. How would using a 'closed?' address
    allow me to receive e-mails witout receiving the spam?

    (My own solution has been to change my address-- troublesome, as you
    indicated-- but you seem to be talking about some other method.

    Kind regards,
    Devi Jankowicz

    Devi Jankowicz Guest

  14. Moderated Post

    Default Re: return-path from original sender? [was: SWEN Worm Propagation Anomaly?]

    Removed by Administrator
    Torge Anders Guest
    Moderated Post

  15. #15

    Default Re: return-path from original sender? [was: SWEN Worm Propagation Anomaly?]

    In article <0001HW.BB9EC4B90015F12209E17780text.giganews.com >,
    Steve <nospamnospam.com> wrote:
    > On Mon, 29 Sep 2003 12:50:12 -0400, Devi Jankowicz wrote
    > (in message <0001HW.BB9E21540008BED2F0101600news.cache.cable. ntlworld.com>):
    >
    > > On Mon, 29 Sep 2003 11:54:10 +0100, Steve wrote
    > > (in message <0001HW.BB9D879200335C0E0940F800text.giganews.com >):
    > >
    > >> I think the lesson is that if you post to usenet with an open email
    > >> address
    > >> you _will_ be attacked and once attacked your only defense is filtering or
    > >> giving up the address.
    > >
    > > A reakl newbie question: werte can I find out how to do emails withhout
    > > using
    > > what you;pve termed an 'open' address. How would using a 'closed?' address
    > > allow me to receive e-mails witout receiving the spam?
    > >
    > > (My own solution has been to change my address-- troublesome, as you
    > > indicated-- but you seem to be talking about some other method.
    >
    > Just change the address in your newsreader to:
    >
    > Devi Jankowicz <animusNOSPAMntlworld.com>
    >
    > for example. There are many ways to do the same thing. Just look at examples
    > from other peoples' posts.
    A better choice is to tweak out the domain name. The above address will
    still result in that e-mail going to your ISPs server (and choking it).
    altering the domain name will cause it to go noowhere if you pick the
    right fix. i.e. <animusntlworld.NOSPAM.com> or
    <animusntlworld.MICROSOFT.com> if you care to get back at the source of
    the problem.

    --
    Clark Martin
    Redwood City, CA, USA Macintosh / Internet Consulting

    "I'm a designated driver on the Information Super Highway"
    Clark Martin Guest

Similar Threads

  1. Save for Web Anomaly
    By Kimberly_Malaryk@adobeforums.com in forum Adobe Illustrator Macintosh
    Replies: 0
    Last Post: April 28th, 09:03 PM
  2. onstat -d anomaly
    By Bill Hamilton in forum Informix
    Replies: 0
    Last Post: October 31st, 02:25 PM
  3. Rendering anomaly
    By Dave Mennenoh in forum Macromedia Director 3D
    Replies: 0
    Last Post: October 8th, 06:16 PM
  4. Replies: 1
    Last Post: October 3rd, 02:05 AM
  5. Replies: 0
    Last Post: September 9th, 07:11 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139