On 27 Sep 2003 19:46:34 -0500, noah wrote:

I received a message today, in Portuguese no less, listing my email
address, and a number of others in this group, as having been
harvested by the W32/swenn@mm worm.

....snip

I'm a newbie here, but not having seen mention of them, you folks should be
aware of a few programs which will help. Pop3ScanMail and MailWasher will
allow you to delete these on your server without first having to download
them. I use MailWasher Pro which allows blacklisting, whitelisting and
filters to help you automate these tasks. I'm using a filter for Swen
which is about 99% effective. Saves a LOT of time.
--

Larry
email is rapp at lmr dot com

The SWEN-laden messages I'm getting have so far come from 218 different
addresses. How does Mailwasher deal with this? Seems to complicated for a
blacklisting scheme.

"Larry" wrote in message
...
On 27 Sep 2003 19:46:34 -0500, noah wrote:

I received a message today, in Portuguese no less, listing my email
address, and a number of others in this group, as having been
harvested by the W32/swenn@mm worm.

...snip

I'm a newbie here, but not having seen mention of them, you folks should
be
aware of a few programs which will help. Pop3ScanMail and MailWasher will
allow you to delete these on your server without first having to download
them. I use MailWasher Pro which allows blacklisting, whitelisting and
filters to help you automate these tasks. I'm using a filter for Swen
which is about 99% effective. Saves a LOT of time.
--

Larry
email is rapp at lmr dot com

Larry wrote:
I'm a newbie here, but not having seen mention of them, you folks should be
aware of a few programs which will help. Pop3ScanMail and MailWasher will
allow you to delete these on your server without first having to download
them. I use MailWasher Pro which allows blacklisting, whitelisting and
filters to help you automate these tasks. I'm using a filter for Swen
which is about 99% effective. Saves a LOT of time.


I've been using the freeware version of Mailwasher for nearly a
year...just leave it running in the background all the time. Someone on
a sailnet list I'm on put me onto it, and it's cut the amount of spam I
ever actually see down from over 100/day to less than 5. It also deletes
mail--and also bounces anything blacklisted back to the spammer as
undeliverable mail directly from my ISP's mail server. It takes a little
tweaking about once a week to keep the blacklist up to date, but I love
it! Also has filters that allow me to screen and delete before
downloading any posts that don't interest me on the e-mail lists I'm on.
Once in a while it's a little overprotective and bounces a legitmate
email--for instance, I've included a wildcard expression on the
blacklist to delete any mail with *free* in the return address, so it
thought an email from a friend who's last name is Freeman was spam and
bounced it. But when I found out, all it took to fix it was adding his
email address to the "friends" list.

Fwiw, just munging an email address slightly (i.e.
@msndotREMOVE THIS.com...or tomATaol.com
etc) won't defeat spammers' harvesting software...they have other
software that cleans it up. That's why I use clue in
it as to my real address. It was working here...I wasn't getting any
spam till I made the mistake of joining a game site called jackpot.com
that ignores opt out requests and has software that knows how to collect
the address from everyone that even closes popups. Within 24 hours after
joining, my spam went from -0- to 50 to over 100 a day and increasing daily.

Check out mailwasher...I think you'll like it. It's at
http://www.mailwasher.net


Peggie
----------
Peggie Hall
Specializing in marine sanitation since 1987
Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and
Other Sources of Aggravation and Odor"
http://www.seaworthy.com/html/get_ri...oat_odors.html

Doug Kanter wrote:
The SWEN-laden messages I'm getting have so far come from 218 different
addresses. How does Mailwasher deal with this? Seems to complicated for a
blacklisting scheme.

Find the identical element in the return address or subject line, add it
to the blacklist as a "wildcard" expression. Then mailwasher knows to
automatically delete and bounce all mail that has that element in it.

In the options, you can also choose for it to automatically delete and
bounce anything on the Spamcop, ORDB and VISI spam lists. It then adds
those email addresses to your blacklist...you can go in and edit that to
create wildcards.

For instance...there's a spammer who seems to like to use names of
metals in his return etc. So
I've created wildcards to bounce anything from from
(the asterisks represent 0-any characters).
Haven't actually seen another one from that source since I figured it out.

It sounds a lot more complicated than it is.

Peggie
----------
Peggie Hall
Specializing in marine sanitation since 1987
Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and
Other Sources of Aggravation and Odor"
http://www.seaworthy.com/html/get_ri...oat_odors.html

On Mon, 29 Sep 2003 18:13:52 GMT, Doug Kanter wrote:

The SWEN-laden messages I'm getting have so far come from 218 different
addresses. How does Mailwasher deal with this? Seems to complicated for a
blacklisting scheme.

Actually, it is done using regex expressions, it doesn't rely on from
addresses at all. In MailWasher you set a filter to follow two rules:

The entire header contains RegExp Content-Type:
multipart/(mixed|alternative)

and

The entire header contains RegExp boundary\="([a-z][a-z]*)"

Try it.

I got that from a post by Ralph Fox. He uses this filter in Agent:

Content-Type: =%{multipart/(mixed|alternative); boundary="[a-z][a-z]*"}

which also works well.



"Larry" wrote in message
...
On 27 Sep 2003 19:46:34 -0500, noah wrote:

I received a message today, in Portuguese no less, listing my email
address, and a number of others in this group, as having been
harvested by the W32/swenn@mm worm.

...snip

I'm a newbie here, but not having seen mention of them, you folks should
be
aware of a few programs which will help. Pop3ScanMail and MailWasher will
allow you to delete these on your server without first having to download
them. I use MailWasher Pro which allows blacklisting, whitelisting and
filters to help you automate these tasks. I'm using a filter for Swen
which is about 99% effective. Saves a LOT of time.
--

Larry
email is rapp at lmr dot com



--
--

Larry
email is rapp at lmr dot com

Larry wrote:
Actually, it is done using regex expressions, it doesn't rely on from
addresses at all. In MailWasher you set a filter to follow two rules:

The entire header contains RegExp Content-Type:
multipart/(mixed|alternative)

and

The entire header contains RegExp boundary\="([a-z][a-z]*)"

Try it.

Would you mind explaining that to me in English? 'Cuz from your
example, it appears to me that would filter out everything. And why
would you use a filter instead of a wildcard on the blacklist?

If you want to move the lesson to email, my address is
.

Peggie
----------
Peggie Hall
Specializing in marine sanitation since 1987
Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and
Other Sources of Aggravation and Odor"
http://www.seaworthy.com/html/get_ri...oat_odors.html

On Sun, 28 Sep 2003 21:58:58 GMT, Dan Krueger
wrote:

Noah,

The problem with your theory is that you, like me, have a 10MB limit. I've been
getting 100 per day and I would suspect that if we had 50MB available, like
Stig, we would see more.

I'm using the Earthlink Spam Blocker, Netscape 7.X junk filter, and Mc Afee
Online Anti Virus. Even though I am blocking more and more email addresses
every day, new ones keep coming in. Mc Afee only catches a few and those don't
even have the "Swen" virus.

What I am getting are returned emails that I never sent and the MS patches. I
guess there is no way to block the returned emails since they aren't originating
from my computer.

In order to allow "real" email in, I have been cleaning my inbox from the office
through Earthlink Webmail. What a huge waste of time that is.

Good luck,
Dan


LOL! I don't have any theory Dan, I'm just bailing with the best of
'em!

This is a fairly sophisticated virus, in that it rips addy's from
newsgroups, address books, and "community boards". It also "fakes"
returned mail, in the expectation that you will open it.

It IS a huge waste of time, and if they ever catch the little
blighter, I hope they keel haul 'im! )

....carry on.
noah

To email me, please remove the "FISH" from the net.

On Mon, 29 Sep 2003 20:16:54 GMT, Larry wrote:

On Mon, 29 Sep 2003 18:13:52 GMT, Doug Kanter wrote:

The SWEN-laden messages I'm getting have so far come from 218 different
addresses. How does Mailwasher deal with this? Seems to complicated for a
blacklisting scheme.

Actually, it is done using regex expressions, it doesn't rely on from
addresses at all. In MailWasher you set a filter to follow two rules:

The entire header contains RegExp Content-Type:
multipart/(mixed|alternative)

and

The entire header contains RegExp boundary\="([a-z][a-z]*)"

Try it.

I got that from a post by Ralph Fox. He uses this filter in Agent:

Content-Type: =%{multipart/(mixed|alternative); boundary="[a-z][a-z]*"}

which also works well.



"Larry" wrote in message
...
On 27 Sep 2003 19:46:34 -0500, noah wrote:

I received a message today, in Portuguese no less, listing my email
address, and a number of others in this group, as having been
harvested by the W32/swenn@mm worm.

...snip

I'm a newbie here, but not having seen mention of them, you folks should
be
aware of a few programs which will help. Pop3ScanMail and MailWasher will
allow you to delete these on your server without first having to download
them. I use MailWasher Pro which allows blacklisting, whitelisting and
filters to help you automate these tasks. I'm using a filter for Swen
which is about 99% effective. Saves a LOT of time.
--

Larry
email is rapp at lmr dot com



--
Larry- Thanks for this, I use Agent. I'll still need to visit the ISP
to dump the Viro-mail tho'.
....carry on.
noah

To email me, please remove the "FISH" from the net.

On Mon, 29 Sep 2003 21:15:14 GMT, Peggie Hall wrote:

Larry wrote:
Actually, it is done using regex expressions, it doesn't rely on from
addresses at all. In MailWasher you set a filter to follow two rules:

The entire header contains RegExp Content-Type:
multipart/(mixed|alternative)

and

The entire header contains RegExp boundary\="([a-z][a-z]*)"

Try it.

Would you mind explaining that to me in English? 'Cuz from your
example, it appears to me that would filter out everything. And why
would you use a filter instead of a wildcard on the blacklist?

If you want to move the lesson to email, my address is
.

Peggie
----------
Peggie Hall
Specializing in marine sanitation since 1987
Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and
Other Sources of Aggravation and Odor"
http://www.seaworthy.com/html/get_ri...oat_odors.html

Hi Peggie,

Well, if you've tried it, you know that it won't filter everything. In
fact, it only filters Swen. Unfortunately, it doesn't work on all of them,
but here it gets about 98%. The reason I use a filter rather than a
blacklist is that this thing is temporary (at least I hope it is) and it is
constantly changing. You can have the filter add the address to the
blacklist if you like, but I doubt it will help much.

As for how it works, first I have to say that it isn't my work - I learned
of it from Ralph Fox on alt.usenet.offline-reader.forte-agent. Basically,
what he (or someone else) did was to note that all of the Swen posts were
coded as having a content type of either multipart/alternative or
multipart/mixed. The second thing is that their boundary is always
specified as multi-character string of two or more characters. The two
regex expressions in the filters - Note: you must couple the two rules with
an "and" - handles this.

Hope this helps. If not, ask away.

--

Larry
email is rapp at lmr dot com

Hmmm...methinks you may be doing it the hard way.

I got the same virus email...sender's address was @ms.com. That's not a
legitimate address for anyone who'd be sending me mail...and, it's on
the SpamCop list...AND--Microsoft doesn't send emails unless you've
subscribed to their update alerts. So, I blacklisted *ms.com and haven't
seen a one since then. No need to filter the subject line or
anything...ALL mail from any sender using an @ms.com address is
automatically deleted and bounced back as undeliverable to my address.

I suspect you rely much more on filters than on the blacklist....I did
too when I first installed Mailwasher...till I figured out how to use
the blacklist. Once I figured it out--which was about a year ago--I
deleted almost all the filters...only have 4 left, and they only mark
for delete, nothing else. Everything else goes on the blacklist, 99% of
which is wildcard expressions. Mailwasher purges any that haven't been
used in a preset number of days...the default is 200 days...I reduced it
to 90, figuring that's about as a long as spammers and virus propagators
ever use the same one. About once a week I go into it and edit
spammers' email addresses to wildcards...and so far, it's working...I'm
only actually seeing about 5 emails a day that aren't legitimate, and I
get to blacklist those.

So if you haven't, you might spend some time exploring how the blacklist
actually works--how to turn email addresses into wildcard expressions.
'Cuz they really cut down on the number of filters needed. In fact, the
only thing I use filters for is to screen the headers on the email lists
I'm subscribed to, so I only downoad the topics I want to participate
in. The rest, I just leave marked for delete--not blacklisted, not
bounced...just deleted off the server.

Peggie
----------
Peggie Hall
Specializing in marine sanitation since 1987
Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and
Other Sources of Aggravation and Odor"
http://shop.sailboatowners.com/detai...=400&group=327

http://www.seaworthy.com/html/get_ri...oat_odors.html