On Thu, 25 Sep 2003 4:02:52 +1000, Steve wrote
(in message <0001HW.BB97548C000E4D8F09A98AA0text.giganews.com >):
i.e. the people who have looked at Swen 'under a microscope' to see> CERT, Symantec and others report that this worm is propagating
> by mailing itself to everyone in the victim's address book. I,
how it propagates.
But, if it were using usenet addresses, those of us with _many_> and many other individuals with multiple email addresses, have
> observed that only those addresses which were used to post to
> the usenet have been attacked. In addition, the same addresses
> are attacked over and over. If the source of the attacks were
> the vicitims' address books one would expect that the addresses
> not used on usenet would also be under attack.
usenet email addresses would be seeing Swen addressed to many
addresses. I'm not. I've received a total of 5 copies of Swen, to 2
I have used (over the years) about 10 different email addresses in
usenet that still resolve, and still receive spam. I use
_different_ email addresses for private correspondence, different
ones again for email lists (specific to each list).
I am only receiving Swen to addresses I've used on usenet, but only
to 2 of those addresses. One of them, because I didn't intend it to
be publicly released, may also be used in personal address books.
I don't expect to receive Swen at 'personal' addresses for a couple
1) most people who email me privately are on Macs.
2) those who aren't tend not to use MS products for mail
3) most people don't copy addresses from email lists to their
Looks to me as though one or two people who have read/replied to me
using usenet have (for whatever reason) copied the address to their
one of the addresses that has received swen has only been used in> What this suggests to me is that the source of the lion's share
> of the current SWEN mailings is not other victims' address books
> but rather continued mailings to the same mailing list harvested
> from usenet. If that is the case, the number of sources should
> be able to be narrowed down considerably.
one group (rec.games.roguelike.nethack). The other has been used in
1 cross-posted thread (4 articles, xposted to 5 groups:
alt.atheism, alt.bible, alt.christnet.philosophy,
alt.christnet.theology, alt.religion.christian). The ones that
aren't receiving it have been used in both, and other, places
I'll go with the opinion of CERT...> It also suggests that ISPs are only going to be receiving
> complaints from the handfull of their customers who use usenet
> and are therefore likely to view it as a localized problem.