Watch this critical update from the M$

[Els]

Clive Skingle wrote:

-snip posting with .exe file attached, "from Microsoft"-

So, are you stupid, or do you think we are?

--
Els

Mente humana é como pára-quedas; funciona melhor aberta.

[Els]

[email]zola@invalid.org[/email] wrote:

> Els wrote:
>
>

>>Clive Skingle wrote:
>>
>>-snip posting with .exe file attached, "from Microsoft"-
>>
>>So, are you stupid, or do you think we are?

>
> He's fishing for idiots. And, sadly, he'll find quite a few

And another fisherman (woman) is doing the same in alt.html :-(

--
Els

Mente humana é como pára-quedas; funciona melhor aberta.

[MCL]

In news:bkhg7v$r9t$8@reader1.tiscali.nl, Els deftly typed:

> [email]zola@invalid.org[/email] wrote:
>

>> Els wrote:
>>
>>

>>> Clive Skingle wrote:
>>>
>>> -snip posting with .exe file attached, "from Microsoft"-
>>>
>>> So, are you stupid, or do you think we are?

>>
>> He's fishing for idiots. And, sadly, he'll find quite a few

>
> And another fisherman (woman) is doing the same in alt.html :-(

Theses peoples might not even be aware that their machine is sending
this.

--
Martin.
"The known is finite, The unknown infinite"
T.H.Huxley

[Phil Weldon]

This post is from the worm. Worm.Automat.AGH has an SMPT engine and is
going after usenet newsgroups. This is a bad one. It only takes about 90
of these infected e-mails to fill up a 10 MByte mailbox... if you start
getting these infected e-mails you'll have to empty your mailbox hourly or
even more often just to keep legitimate e-mail from bouncing.

Phil Weldon, [email]pweldon@mindspring.com[/email]

<zola@invalid.org> wrote in message
news:1ufomv8neh8a278tkru0da7eikkavfk3rk@4ax.com...

> Els wrote:
>

> >Clive Skingle wrote:
> >
> >-snip posting with .exe file attached, "from Microsoft"-
> >
> >So, are you stupid, or do you think we are?

>
>
> He's fishing for idiots. And, sadly, he'll find quite a few

[Jay Michaels]

"Els" <els.aNOSPAM@PLEASEtiscali.nl.invalid> wrote in message
news:bkhg7v$r9t$8@reader1.tiscali.nl...

> [email]zola@invalid.org[/email] wrote:
>

> > Els wrote:
> >
> >

> >>Clive Skingle wrote:
> >>
> >>-snip posting with .exe file attached, "from Microsoft"-
> >>
> >>So, are you stupid, or do you think we are?

> >
> > He's fishing for idiots. And, sadly, he'll find quite a few

>
> And another fisherman (woman) is doing the same in alt.html :-(

They are all over the place.... the fucking scumbags.

> Mente humana é como pára-quedas; funciona melhor aberta.
>

[Peter McDonald]

yeah i have had about 80 in the last 24 hours

"Phil Weldon" <pweldon@mindspring.com> wrote in message
news:e9Yab.45248$Aq2.25331@newsread1.news.atl.eart hlink.net...

> This post is from the worm. Worm.Automat.AGH has an SMPT engine and is
> going after usenet newsgroups. This is a bad one. It only takes about 90
> of these infected e-mails to fill up a 10 MByte mailbox... if you start
> getting these infected e-mails you'll have to empty your mailbox hourly or
> even more often just to keep legitimate e-mail from bouncing.
>
> Phil Weldon, [email]pweldon@mindspring.com[/email]
>
> <zola@invalid.org> wrote in message
> news:1ufomv8neh8a278tkru0da7eikkavfk3rk@4ax.com...

> > Els wrote:
> >

> > >Clive Skingle wrote:
> > >
> > >-snip posting with .exe file attached, "from Microsoft"-
> > >
> > >So, are you stupid, or do you think we are?

> >
> >
> > He's fishing for idiots. And, sadly, he'll find quite a few

>
>

[Els]

MCL wrote:

> In news:bkhg7v$r9t$8@reader1.tiscali.nl, Els deftly typed:
>

>>zola@invalid.org wrote:
>>

>>>Els wrote:
>>>
>>>>Clive Skingle wrote:
>>>>
>>>>-snip posting with .exe file attached, "from Microsoft"-
>>>>
>>>>So, are you stupid, or do you think we are?
>>>
>>>He's fishing for idiots. And, sadly, he'll find quite a few

>>
>>And another fisherman (woman) is doing the same in alt.html :-(

>
> Theses peoples might not even be aware that their machine is sending
> this.

It probably isn't even their machine that's sending it, some
machine somewhere is using their address as the from address.

--
Els

Mente humana é como pára-quedas; funciona melhor aberta.

[Derek Sorensen]

On Sat, 20 Sep 2003 21:45:07 +0100, "Peter McDonald"
<filth@blueyonder.co.uk> wrote:

>yeah i have had about 80 in the last 24 hours

Pfft ... I just recovered from a spammer using my demon domain as his
"from" address (again!). I was getting around 2 bounces a second at
it's peak, fortunately all to non-existent mailboxes so once I
realised what was happening I could filter them without too much
trouble, but it was still a pain.

--
Derek Sorensen
[url]http://goldcrossdata.co.uk[/url]

[Dodgy]

On Sat, 20 Sep 2003 21:45:07 +0100, "Peter McDonald"
<filth@blueyonder.co.uk> waffled on about something:

>yeah i have had about 80 in the last 24 hours

Best way to avoid it is to never quote your true email address in a
usenet post... I never have... If anyone wants it they can have it,
but I'd scatter "removethis" and "skipthis" all the way through it.

Probably why I have never received this worm, or seen sobig-f come to
think of it....

D0d6y.
--
MUSHROOMS ARE THE OPIATE OF THE MOOSES

[Phil Weldon]

That's no protection. This worm is harvesting email address from address
books. If anyone has an infected system and has your email address on their
system you will eventually be flooded with these bogus and infected emails.
PtoP filesharing networks are also being harvested for email addresses.
Prior to this week I got an average of 5 infected e-mails per week. From
midnight to midnight EDT (USA Eastern Daylight savings Time) 20SEP03 I
received 1382 infected e-mails generated by this worm.

Fill Weldon, [email]fweldon@mindspring.com[/email]
[Changed my sig from the obvious and set up a new mailbox to see if it
attracts anything.

"Dodgy" <Dodgy@earth.planet.universe> wrote in message
news:rkvpmv0qiem631divgg4v8k1b51qcnkg90@4ax.com...

> On Sat, 20 Sep 2003 21:45:07 +0100, "Peter McDonald"
> <filth@blueyonder.co.uk> waffled on about something:
>

> >yeah i have had about 80 in the last 24 hours

>
> Best way to avoid it is to never quote your true email address in a
> usenet post... I never have... If anyone wants it they can have it,
> but I'd scatter "removethis" and "skipthis" all the way through it.
>
> Probably why I have never received this worm, or seen sobig-f come to
> think of it....
>
> D0d6y.
> --
> MUSHROOMS ARE THE OPIATE OF THE MOOSES

[Jim Davis]

On Sat, 20 Sep 2003 12:57:46 GMT, "Phil Weldon"
<pweldon@mindspring.com> wrote/replied to:

>This post is from the worm. Worm.Automat.AGH has an SMPT engine and is
>going after usenet newsgroups. This is a bad one. It only takes about 90
>of these infected e-mails to fill up a 10 MByte mailbox... if you start
>getting these infected e-mails you'll have to empty your mailbox hourly or
>even more often just to keep legitimate e-mail from bouncing.

I don't know the answer to ending this attack, but I also get enough
of these emails to choke my mailbox in a couple hours. I just hope it
doesn't get any worse. It looks like I will have to change my email
address, because this continues with no end in sight.

Some friends are NOT getting these so bad, I'm not sure what the
difference is, but if an address has been in use for a long time, like
mine, 3 years, then I think more of these emails would show up.

Maybe the answer is to change your address every few months, or when
the spam builds to too high a lever. Filtering this stuff is not the
answer. I tried but got tired of it and anyway your mail box will
still be full.


Jim Davis
Nature Photography
[url]http://www.kjsl.com/~jbdavis/[/url]

[Jonathan de Boyne Pollard]

JD> Some friends are NOT getting these so bad, I'm not sure what
JD> the difference is, [...]

One possibility is that your friends are actually infected with this
particular Microsoft Worm. One of the actions that it takes (which isn't
documented in the analyses performed by F-Secure or Sophos, but which was
recently mentioned in "comp.mail.misc") is to connect to the user's POP3
server, issue a "TOP" command against every message in the mailbox to retrieve
its header and the first 30 lines of its body, and issue a "DELE" command to
delete any messages that it detects to be copies of itself. The consequence
of this would be that someone running Microsoft Windows and infected with this
Microsoft Worm would see fewer copies of it in their POP3 mailbox, as the worm
itself would be busy deleting them.

[Phil Weldon]

The ONLY way to end the spam effect of this worm is for ISP's to scan at the
POP3 level and DISCARD infected e-mail WITHOUT sending notifcation to the
receiver (which still clogs the mailbox) OR the supposed sender e-mail
addresses (which are either bogus or harvested from 'address books' on
infected machines and networks.)

Changing e-mail addresses is NOT AN ACCEPTABLE SOLUTION. It would cripple
the future of the internet as a communication network. Individual solutions
won't work, only a collective solution will. Failing an adequate response
by ISP's, I'll go with the first e-mail provider that institutes scan and
discard, be that hotmail or whatever. I'll even pay for such premium
service, and look with favor on any ISP that unbundles packaged services so
I can choose the services that meet my requirements. I'll also look with
favor on any class actions filled on the basis of an ISP failing to provide
implicitly contracted services (i.e., reliable mail service.)

My current situation:

My machines are NOT infected, and have NEVER been infected.
I keep my security up-to-date.
I don't send infected e-mail.

My ISP is loading over 1500 infected e-mail messages into my mailbox each
day.


"Jim Davis" <spammenot@someip.jp> wrote in message
news:ndp1nvkmlon2gfjhbevtgmdan1fqjmi8f3@nwall.odn. ne.jp...

> On Sat, 20 Sep 2003 12:57:46 GMT, "Phil Weldon"
> <pweldon@mindspring.com> wrote/replied to:
>

> >This post is from the worm. Worm.Automat.AGH has an SMPT engine and is
> >going after usenet newsgroups. This is a bad one. It only takes about

90

> >of these infected e-mails to fill up a 10 MByte mailbox... if you start
> >getting these infected e-mails you'll have to empty your mailbox hourly

or

> >even more often just to keep legitimate e-mail from bouncing.

>
> I don't know the answer to ending this attack, but I also get enough
> of these emails to choke my mailbox in a couple hours. I just hope it
> doesn't get any worse. It looks like I will have to change my email
> address, because this continues with no end in sight.
>
> Some friends are NOT getting these so bad, I'm not sure what the
> difference is, but if an address has been in use for a long time, like
> mine, 3 years, then I think more of these emails would show up.
>
> Maybe the answer is to change your address every few months, or when
> the spam builds to too high a lever. Filtering this stuff is not the
> answer. I tried but got tired of it and anyway your mail box will
> still be full.
>
>
> Jim Davis
> Nature Photography
> [url]http://www.kjsl.com/~jbdavis/[/url]

[Triffid]

Phil Weldon wrote:

> The ONLY way to end the spam effect of this worm is for ISP's to scan at the
> POP3 level and DISCARD infected e-mail WITHOUT sending notifcation to the
> receiver (which still clogs the mailbox) OR the supposed sender e-mail
> addresses (which are either bogus or harvested from 'address books' on
> infected machines and networks.)

Disagree. I got hit real bad by this one, but I fixed it without needing
any help from my ISP.

Mailboxes were filling up in less than an hour, so obviously there was
little I could do on the client side.

I went to my ISP's admin pages, but there were no server side mail
filters available. I understand some ISPs offer mail filters, but most
only allow redirection to a folder, which doesn't solve the 'mailbox
full' problem - but AFAIK they all have a redirect option.

My solution - redirect all mail to a webmail account that has 'delete
message' as a filter option. Configure the filters to delete any message
which has 'run attached file' or 'undelivered' or 'undeliverable' in the
body. Problem solved - filters have dropped about 2100 swen mails in the
last 24 hours, all other mail (big dick/blue pill spam included,
unfortunately) is received as usual.

> Changing e-mail addresses is NOT AN ACCEPTABLE SOLUTION. It would cripple
> the future of the internet as a communication network. Individual solutions
> won't work, only a collective solution will. Failing an adequate response
> by ISP's, I'll go with the first e-mail provider that institutes scan and
> discard, be that hotmail or whatever. I'll even pay for such premium
> service, and look with favor on any ISP that unbundles packaged services so
> I can choose the services that meet my requirements. I'll also look with
> favor on any class actions filled on the basis of an ISP failing to provide
> implicitly contracted services (i.e., reliable mail service.)
>
> My current situation:
>
> My machines are NOT infected, and have NEVER been infected.
> I keep my security up-to-date.
> I don't send infected e-mail.
>
> My ISP is loading over 1500 infected e-mail messages into my mailbox each
> day.
>
>
> "Jim Davis" <spammenot@someip.jp> wrote in message
> news:ndp1nvkmlon2gfjhbevtgmdan1fqjmi8f3@nwall.odn. ne.jp...
>

>>On Sat, 20 Sep 2003 12:57:46 GMT, "Phil Weldon"
>><pweldon@mindspring.com> wrote/replied to:
>>
>>

>>>This post is from the worm. Worm.Automat.AGH has an SMPT engine and is
>>>going after usenet newsgroups. This is a bad one. It only takes about

>
> 90
>

>>>of these infected e-mails to fill up a 10 MByte mailbox... if you start
>>>getting these infected e-mails you'll have to empty your mailbox hourly

>
> or
>

>>>even more often just to keep legitimate e-mail from bouncing.

>>
>>I don't know the answer to ending this attack, but I also get enough
>>of these emails to choke my mailbox in a couple hours. I just hope it
>>doesn't get any worse. It looks like I will have to change my email
>>address, because this continues with no end in sight.
>>
>>Some friends are NOT getting these so bad, I'm not sure what the
>>difference is, but if an address has been in use for a long time, like
>>mine, 3 years, then I think more of these emails would show up.
>>
>>Maybe the answer is to change your address every few months, or when
>>the spam builds to too high a lever. Filtering this stuff is not the
>>answer. I tried but got tired of it and anyway your mail box will
>>still be full.
>>
>>
>>Jim Davis
>>Nature Photography
>>[url]http://www.kjsl.com/~jbdavis/[/url]

>
>
>

[Jim Davis]

On Wed, 24 Sep 2003 00:39:57 -0400, Triffid <triffid@nebula.net>
wrote/replied to:

>My solution - redirect all mail to a webmail account that has 'delete
>message' as a filter option. Configure the filters to delete any message
>which has 'run attached file' or 'undelivered' or 'undeliverable' in the
>body. Problem solved - filters have dropped about 2100 swen mails in the
>last 24 hours, all other mail (big dick/blue pill spam included,
>unfortunately) is received as usual.

I don't get it. If you have everything redirected to another webmail
account, don't you have to go online and retreive that mail for the
delete filters to work? I have filters, but they only work on my
retreiving the mail and don't help with my box filling up.

I hope the ISPs do something about this quick, this is really a denial
of service at it's very worst. This is the first time I can ever
remember something so terrible happening on the net. This really
sucks.


Jim Davis
Nature Photography
[url]http://www.kjsl.com/~jbdavis/[/url]

[Jim Davis]

On Wed, 24 Sep 2003 03:11:58 GMT, "Phil Weldon"
<pweldon@mindspring.com> wrote/replied to:

>My current situation:
>
>My machines are NOT infected, and have NEVER been infected.
>I keep my security up-to-date.
>I don't send infected e-mail.
>
>My ISP is loading over 1500 infected e-mail messages into my mailbox each
>day.

EXactly my situation. I don't have it, never did have it but I'm
getting a box full too often to mention.

I would pay extra for a text only email service. No attachments, no
html, just text. That's all I really want and care about anyway. This
would stop the entire nonsense. It's time to return to the roots. All
this fancy crap does to email is make it look like fancy crap anyway.



Jim Davis
Nature Photography
[url]http://www.kjsl.com/~jbdavis/[/url]

[Phil Weldon]

You are getting very good results from your rules. Unfotunately, those
three rules would cut my flood of infected e-mail by less than 50%.

'Run attached file' would get ~ 33%

However, on looking over my recent infected e-mail messages, including a
rule to delete e-mail containing just about every for of deliver would catch
just about all of the rest of the infected e-mail... at this moment, for as
long as the body of the message (other than the e-mail addresses) don't
mutate. It seems the worm can retrieve additional content material. And
then there is the NEXT worm.

'deliver'
'deliverable'
'delivered'
'undelivered'
'undeliverable'.

Plus

'Run attached file'
will catch all, I think, of the infected e-mail generated.

Now comes the next phase. The volume of E-mail of the type 'you sent an
infected e-mail' and of the type 'an infected e-mail was sent to you' is
increasing rapidly. These messages originate from orginazations that scan
e-mail and notify the receipient and purported sender of the event. Of
course the infected e-mail generated by the worm has receipient address that
are harvested from infected systems and networks and sender addresses that
are either bogus or harvested from infected systems and networks. Not all
of these messages contain the body of the infected e-mail message.



Phil Weldon, [email]pweldon@mindspring.com[/email]

"Triffid" <triffid@nebula.net> wrote in message
news:ee9cb.5982$yD1.931405@news20.bellglobal.com.. .

>
>
> Phil Weldon wrote:
>

> > The ONLY way to end the spam effect of this worm is for ISP's to scan at

the

> > POP3 level and DISCARD infected e-mail WITHOUT sending notifcation to

the

> > receiver (which still clogs the mailbox) OR the supposed sender e-mail
> > addresses (which are either bogus or harvested from 'address books' on
> > infected machines and networks.)

>
> Disagree. I got hit real bad by this one, but I fixed it without needing
> any help from my ISP.
>
> Mailboxes were filling up in less than an hour, so obviously there was
> little I could do on the client side.
>
> I went to my ISP's admin pages, but there were no server side mail
> filters available. I understand some ISPs offer mail filters, but most
> only allow redirection to a folder, which doesn't solve the 'mailbox
> full' problem - but AFAIK they all have a redirect option.
>
> My solution - redirect all mail to a webmail account that has 'delete
> message' as a filter option. Configure the filters to delete any message
> which has 'run attached file' or 'undelivered' or 'undeliverable' in the
> body. Problem solved - filters have dropped about 2100 swen mails in the
> last 24 hours, all other mail (big dick/blue pill spam included,
> unfortunately) is received as usual.
>

[JAD]

The ONLY way to end the spam effect of this worm is for ISP's to scan at the

> POP3 level and DISCARD infected e-mail WITHOUT sending notifcation to the
> receiver (which still clogs the mailbox)

as earthlink has done perfectly.....never got a SINGLE one

"Phil Weldon" <pweldon@mindspring.com> wrote in message news:2Y7cb.3876$ai7.1002@newsread1.news.atl.earthl ink.net...

> OR the supposed sender e-mail
> addresses (which are either bogus or harvested from 'address books' on
> infected machines and networks.)
>
> Changing e-mail addresses is NOT AN ACCEPTABLE SOLUTION. It would cripple
> the future of the internet as a communication network. Individual solutions
> won't work, only a collective solution will. Failing an adequate response
> by ISP's, I'll go with the first e-mail provider that institutes scan and
> discard, be that hotmail or whatever. I'll even pay for such premium
> service, and look with favor on any ISP that unbundles packaged services so
> I can choose the services that meet my requirements. I'll also look with
> favor on any class actions filled on the basis of an ISP failing to provide
> implicitly contracted services (i.e., reliable mail service.)
>
> My current situation:
>
> My machines are NOT infected, and have NEVER been infected.
> I keep my security up-to-date.
> I don't send infected e-mail.
>
> My ISP is loading over 1500 infected e-mail messages into my mailbox each
> day.
>
>
> "Jim Davis" <spammenot@someip.jp> wrote in message
> news:ndp1nvkmlon2gfjhbevtgmdan1fqjmi8f3@nwall.odn. ne.jp...

> > On Sat, 20 Sep 2003 12:57:46 GMT, "Phil Weldon"
> > <pweldon@mindspring.com> wrote/replied to:
> >

> > >This post is from the worm. Worm.Automat.AGH has an SMPT engine and is
> > >going after usenet newsgroups. This is a bad one. It only takes about

> 90

> > >of these infected e-mails to fill up a 10 MByte mailbox... if you start
> > >getting these infected e-mails you'll have to empty your mailbox hourly

> or

> > >even more often just to keep legitimate e-mail from bouncing.

> >
> > I don't know the answer to ending this attack, but I also get enough
> > of these emails to choke my mailbox in a couple hours. I just hope it
> > doesn't get any worse. It looks like I will have to change my email
> > address, because this continues with no end in sight.
> >
> > Some friends are NOT getting these so bad, I'm not sure what the
> > difference is, but if an address has been in use for a long time, like
> > mine, 3 years, then I think more of these emails would show up.
> >
> > Maybe the answer is to change your address every few months, or when
> > the spam builds to too high a lever. Filtering this stuff is not the
> > answer. I tried but got tired of it and anyway your mail box will
> > still be full.
> >
> >
> > Jim Davis
> > Nature Photography
> > [url]http://www.kjsl.com/~jbdavis/[/url]

>
>

[Michael W Ryder]

JAD wrote:

> The ONLY way to end the spam effect of this worm is for ISP's to scan at the
>

>>POP3 level and DISCARD infected e-mail WITHOUT sending notifcation to the
>>receiver (which still clogs the mailbox)

>
>
>
>
> as earthlink has done perfectly.....never got a SINGLE one
>

It wasn't Earthlink! I get about 100 of these a day beyond those
stopped by Spaminator. Because of this I will probably switch to
Worldnet as they advertise that they scan all e-mail for viruses.

> "Phil Weldon" <pweldon@mindspring.com> wrote in message news:2Y7cb.3876$ai7.1002@newsread1.news.atl.earthl ink.net...
>

>>OR the supposed sender e-mail
>>addresses (which are either bogus or harvested from 'address books' on
>>infected machines and networks.)
>>
>>Changing e-mail addresses is NOT AN ACCEPTABLE SOLUTION. It would cripple
>>the future of the internet as a communication network. Individual solutions
>>won't work, only a collective solution will. Failing an adequate response
>>by ISP's, I'll go with the first e-mail provider that institutes scan and
>>discard, be that hotmail or whatever. I'll even pay for such premium
>>service, and look with favor on any ISP that unbundles packaged services so
>>I can choose the services that meet my requirements. I'll also look with
>>favor on any class actions filled on the basis of an ISP failing to provide
>>implicitly contracted services (i.e., reliable mail service.)
>>
>>My current situation:
>>
>>My machines are NOT infected, and have NEVER been infected.
>>I keep my security up-to-date.
>>I don't send infected e-mail.
>>
>>My ISP is loading over 1500 infected e-mail messages into my mailbox each
>>day.
>>
>>
>>"Jim Davis" <spammenot@someip.jp> wrote in message
>>news:ndp1nvkmlon2gfjhbevtgmdan1fqjmi8f3@nwall.od n.ne.jp...
>>

>>>On Sat, 20 Sep 2003 12:57:46 GMT, "Phil Weldon"
>>><pweldon@mindspring.com> wrote/replied to:
>>>
>>>
>>>>This post is from the worm. Worm.Automat.AGH has an SMPT engine and is
>>>>going after usenet newsgroups. This is a bad one. It only takes about

>>
>>90
>>

>>>>of these infected e-mails to fill up a 10 MByte mailbox... if you start
>>>>getting these infected e-mails you'll have to empty your mailbox hourly

>>
>>or
>>

>>>>even more often just to keep legitimate e-mail from bouncing.
>>>
>>>I don't know the answer to ending this attack, but I also get enough
>>>of these emails to choke my mailbox in a couple hours. I just hope it
>>>doesn't get any worse. It looks like I will have to change my email
>>>address, because this continues with no end in sight.
>>>
>>>Some friends are NOT getting these so bad, I'm not sure what the
>>>difference is, but if an address has been in use for a long time, like
>>>mine, 3 years, then I think more of these emails would show up.
>>>
>>>Maybe the answer is to change your address every few months, or when
>>>the spam builds to too high a lever. Filtering this stuff is not the
>>>answer. I tried but got tired of it and anyway your mail box will
>>>still be full.
>>>
>>>
>>>Jim Davis
>>>Nature Photography
>>>[url]http://www.kjsl.com/~jbdavis/[/url]

>>
>>

>
>

[Triffid]

Phil Weldon wrote:

> You are getting very good results from your rules. Unfotunately, those
> three rules would cut my flood of infected e-mail by less than 50%.
>
> 'Run attached file' would get ~ 33%
>
> However, on looking over my recent infected e-mail messages, including a
> rule to delete e-mail containing just about every for of deliver would catch
> just about all of the rest of the infected e-mail... at this moment, for as
> long as the body of the message (other than the e-mail addresses) don't
> mutate. It seems the worm can retrieve additional content material. And
> then there is the NEXT worm.
>
> 'deliver'
> 'deliverable'
> 'delivered'
> 'undelivered'
> 'undeliverable'.
>
> Plus
>
> 'Run attached file'
> will catch all, I think, of the infected e-mail generated.

My *exact* ruleset, which has not allowed a single infected email
through in the last 48 hours, is:

Header does not contain <my_mail_address>
OR
Body contains 'Run attached file'
OR
Body contains 'Undelivered to'
OR
Body contains 'deliver your message'
OR
Body contains 'not be delivered'
OR
Body contains 'Undelivered message'
OR
Body contains 'Undeliverable message'
OR
Body contains 'Undeliverable mail'
OR
Body contains 'Undelivered mail'
OR
Body contains 'Undeliverable to'
OR
Body contains 'Message follows:'

I'd like the first one to be:

To does not contain <my_mail_address>
AND
CC does not contain <my_mail_address>

This would be even more effective, but unfortunately CC is not supported
by my provider. It's possible my filters are also dropping the
occasional legitimate message, but I guess that's the price have I pay
to keep my mailbox open for business during the storm.

> Now comes the next phase. The volume of E-mail of the type 'you sent an
> infected e-mail' and of the type 'an infected e-mail was sent to you' is
> increasing rapidly. These messages originate from orginazations that scan
> e-mail and notify the receipient and purported sender of the event. Of
> course the infected e-mail generated by the worm has receipient address that
> are harvested from infected systems and networks and sender addresses that
> are either bogus or harvested from infected systems and networks. Not all
> of these messages contain the body of the infected e-mail message.

I've had about 10 of those get through the filters, but since they are
all under 1KB it's not a serious problem.

It doesn't look like this is going to stop anytime soon, either:

[url]http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32%2FSwen.A-mm[/url]

> Phil Weldon, [email]pweldon@mindspring.com[/email]
>
> "Triffid" <triffid@nebula.net> wrote in message
> news:ee9cb.5982$yD1.931405@news20.bellglobal.com.. .
>

>>
>>Phil Weldon wrote:
>>
>>

>>>The ONLY way to end the spam effect of this worm is for ISP's to scan at

>
> the
>

>>>POP3 level and DISCARD infected e-mail WITHOUT sending notifcation to

>
> the
>

>>>receiver (which still clogs the mailbox) OR the supposed sender e-mail
>>>addresses (which are either bogus or harvested from 'address books' on
>>>infected machines and networks.)

>>
>>Disagree. I got hit real bad by this one, but I fixed it without needing
>>any help from my ISP.
>>
>>Mailboxes were filling up in less than an hour, so obviously there was
>>little I could do on the client side.
>>
>>I went to my ISP's admin pages, but there were no server side mail
>>filters available. I understand some ISPs offer mail filters, but most
>>only allow redirection to a folder, which doesn't solve the 'mailbox
>>full' problem - but AFAIK they all have a redirect option.
>>
>>My solution - redirect all mail to a webmail account that has 'delete
>>message' as a filter option. Configure the filters to delete any message
>>which has 'run attached file' or 'undelivered' or 'undeliverable' in the
>>body. Problem solved - filters have dropped about 2100 swen mails in the
>>last 24 hours, all other mail (big dick/blue pill spam included,
>>unfortunately) is received as usual.
>>

>
>
>