Home |
Search |
Today's Posts |
#11
|
|||
|
|||
Virus Update- Is your name on the list?
On 27 Sep 2003 19:46:34 -0500, noah wrote:
I received a message today, in Portuguese no less, listing my email address, and a number of others in this group, as having been harvested by the W32/swenn@mm worm. ....snip I'm a newbie here, but not having seen mention of them, you folks should be aware of a few programs which will help. Pop3ScanMail and MailWasher will allow you to delete these on your server without first having to download them. I use MailWasher Pro which allows blacklisting, whitelisting and filters to help you automate these tasks. I'm using a filter for Swen which is about 99% effective. Saves a LOT of time. -- Larry email is rapp at lmr dot com |
#12
|
|||
|
|||
Virus Update- Is your name on the list?
The SWEN-laden messages I'm getting have so far come from 218 different
addresses. How does Mailwasher deal with this? Seems to complicated for a blacklisting scheme. "Larry" wrote in message ... On 27 Sep 2003 19:46:34 -0500, noah wrote: I received a message today, in Portuguese no less, listing my email address, and a number of others in this group, as having been harvested by the W32/swenn@mm worm. ...snip I'm a newbie here, but not having seen mention of them, you folks should be aware of a few programs which will help. Pop3ScanMail and MailWasher will allow you to delete these on your server without first having to download them. I use MailWasher Pro which allows blacklisting, whitelisting and filters to help you automate these tasks. I'm using a filter for Swen which is about 99% effective. Saves a LOT of time. -- Larry email is rapp at lmr dot com |
#13
|
|||
|
|||
Virus Update- Is your name on the list?
Larry wrote:
I'm a newbie here, but not having seen mention of them, you folks should be aware of a few programs which will help. Pop3ScanMail and MailWasher will allow you to delete these on your server without first having to download them. I use MailWasher Pro which allows blacklisting, whitelisting and filters to help you automate these tasks. I'm using a filter for Swen which is about 99% effective. Saves a LOT of time. I've been using the freeware version of Mailwasher for nearly a year...just leave it running in the background all the time. Someone on a sailnet list I'm on put me onto it, and it's cut the amount of spam I ever actually see down from over 100/day to less than 5. It also deletes mail--and also bounces anything blacklisted back to the spammer as undeliverable mail directly from my ISP's mail server. It takes a little tweaking about once a week to keep the blacklist up to date, but I love it! Also has filters that allow me to screen and delete before downloading any posts that don't interest me on the e-mail lists I'm on. Once in a while it's a little overprotective and bounces a legitmate email--for instance, I've included a wildcard expression on the blacklist to delete any mail with *free* in the return address, so it thought an email from a friend who's last name is Freeman was spam and bounced it. But when I found out, all it took to fix it was adding his email address to the "friends" list. Fwiw, just munging an email address slightly (i.e. @msndotREMOVE THIS.com...or tomATaol.com etc) won't defeat spammers' harvesting software...they have other software that cleans it up. That's why I use clue in it as to my real address. It was working here...I wasn't getting any spam till I made the mistake of joining a game site called jackpot.com that ignores opt out requests and has software that knows how to collect the address from everyone that even closes popups. Within 24 hours after joining, my spam went from -0- to 50 to over 100 a day and increasing daily. Check out mailwasher...I think you'll like it. It's at http://www.mailwasher.net Peggie ---------- Peggie Hall Specializing in marine sanitation since 1987 Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and Other Sources of Aggravation and Odor" http://www.seaworthy.com/html/get_ri...oat_odors.html |
#14
|
|||
|
|||
Virus Update- Is your name on the list?
Doug Kanter wrote: The SWEN-laden messages I'm getting have so far come from 218 different addresses. How does Mailwasher deal with this? Seems to complicated for a blacklisting scheme. Find the identical element in the return address or subject line, add it to the blacklist as a "wildcard" expression. Then mailwasher knows to automatically delete and bounce all mail that has that element in it. In the options, you can also choose for it to automatically delete and bounce anything on the Spamcop, ORDB and VISI spam lists. It then adds those email addresses to your blacklist...you can go in and edit that to create wildcards. For instance...there's a spammer who seems to like to use names of metals in his return etc. So I've created wildcards to bounce anything from from (the asterisks represent 0-any characters). Haven't actually seen another one from that source since I figured it out. It sounds a lot more complicated than it is. Peggie ---------- Peggie Hall Specializing in marine sanitation since 1987 Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and Other Sources of Aggravation and Odor" http://www.seaworthy.com/html/get_ri...oat_odors.html |
#15
|
|||
|
|||
Virus Update- Is your name on the list?
On Mon, 29 Sep 2003 18:13:52 GMT, Doug Kanter wrote:
The SWEN-laden messages I'm getting have so far come from 218 different addresses. How does Mailwasher deal with this? Seems to complicated for a blacklisting scheme. Actually, it is done using regex expressions, it doesn't rely on from addresses at all. In MailWasher you set a filter to follow two rules: The entire header contains RegExp Content-Type: multipart/(mixed|alternative) and The entire header contains RegExp boundary\="([a-z][a-z]*)" Try it. I got that from a post by Ralph Fox. He uses this filter in Agent: Content-Type: =%{multipart/(mixed|alternative); boundary="[a-z][a-z]*"} which also works well. "Larry" wrote in message ... On 27 Sep 2003 19:46:34 -0500, noah wrote: I received a message today, in Portuguese no less, listing my email address, and a number of others in this group, as having been harvested by the W32/swenn@mm worm. ...snip I'm a newbie here, but not having seen mention of them, you folks should be aware of a few programs which will help. Pop3ScanMail and MailWasher will allow you to delete these on your server without first having to download them. I use MailWasher Pro which allows blacklisting, whitelisting and filters to help you automate these tasks. I'm using a filter for Swen which is about 99% effective. Saves a LOT of time. -- Larry email is rapp at lmr dot com -- -- Larry email is rapp at lmr dot com |
#16
|
|||
|
|||
Virus Update- Is your name on the list?
Larry wrote:
Actually, it is done using regex expressions, it doesn't rely on from addresses at all. In MailWasher you set a filter to follow two rules: The entire header contains RegExp Content-Type: multipart/(mixed|alternative) and The entire header contains RegExp boundary\="([a-z][a-z]*)" Try it. Would you mind explaining that to me in English? 'Cuz from your example, it appears to me that would filter out everything. And why would you use a filter instead of a wildcard on the blacklist? If you want to move the lesson to email, my address is . Peggie ---------- Peggie Hall Specializing in marine sanitation since 1987 Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and Other Sources of Aggravation and Odor" http://www.seaworthy.com/html/get_ri...oat_odors.html |
#17
|
|||
|
|||
Virus Update- Is your name on the list?
On Sun, 28 Sep 2003 21:58:58 GMT, Dan Krueger
wrote: Noah, The problem with your theory is that you, like me, have a 10MB limit. I've been getting 100 per day and I would suspect that if we had 50MB available, like Stig, we would see more. I'm using the Earthlink Spam Blocker, Netscape 7.X junk filter, and Mc Afee Online Anti Virus. Even though I am blocking more and more email addresses every day, new ones keep coming in. Mc Afee only catches a few and those don't even have the "Swen" virus. What I am getting are returned emails that I never sent and the MS patches. I guess there is no way to block the returned emails since they aren't originating from my computer. In order to allow "real" email in, I have been cleaning my inbox from the office through Earthlink Webmail. What a huge waste of time that is. Good luck, Dan LOL! I don't have any theory Dan, I'm just bailing with the best of 'em! This is a fairly sophisticated virus, in that it rips addy's from newsgroups, address books, and "community boards". It also "fakes" returned mail, in the expectation that you will open it. It IS a huge waste of time, and if they ever catch the little blighter, I hope they keel haul 'im! ) ....carry on. noah To email me, please remove the "FISH" from the net. |
#18
|
|||
|
|||
Virus Update- Is your name on the list?
On Mon, 29 Sep 2003 20:16:54 GMT, Larry wrote:
On Mon, 29 Sep 2003 18:13:52 GMT, Doug Kanter wrote: The SWEN-laden messages I'm getting have so far come from 218 different addresses. How does Mailwasher deal with this? Seems to complicated for a blacklisting scheme. Actually, it is done using regex expressions, it doesn't rely on from addresses at all. In MailWasher you set a filter to follow two rules: The entire header contains RegExp Content-Type: multipart/(mixed|alternative) and The entire header contains RegExp boundary\="([a-z][a-z]*)" Try it. I got that from a post by Ralph Fox. He uses this filter in Agent: Content-Type: =%{multipart/(mixed|alternative); boundary="[a-z][a-z]*"} which also works well. "Larry" wrote in message ... On 27 Sep 2003 19:46:34 -0500, noah wrote: I received a message today, in Portuguese no less, listing my email address, and a number of others in this group, as having been harvested by the W32/swenn@mm worm. ...snip I'm a newbie here, but not having seen mention of them, you folks should be aware of a few programs which will help. Pop3ScanMail and MailWasher will allow you to delete these on your server without first having to download them. I use MailWasher Pro which allows blacklisting, whitelisting and filters to help you automate these tasks. I'm using a filter for Swen which is about 99% effective. Saves a LOT of time. -- Larry email is rapp at lmr dot com -- Larry- Thanks for this, I use Agent. I'll still need to visit the ISP to dump the Viro-mail tho'. ....carry on. noah To email me, please remove the "FISH" from the net. |
#19
|
|||
|
|||
Virus Update- Is your name on the list?
On Mon, 29 Sep 2003 21:15:14 GMT, Peggie Hall wrote:
Larry wrote: Actually, it is done using regex expressions, it doesn't rely on from addresses at all. In MailWasher you set a filter to follow two rules: The entire header contains RegExp Content-Type: multipart/(mixed|alternative) and The entire header contains RegExp boundary\="([a-z][a-z]*)" Try it. Would you mind explaining that to me in English? 'Cuz from your example, it appears to me that would filter out everything. And why would you use a filter instead of a wildcard on the blacklist? If you want to move the lesson to email, my address is . Peggie ---------- Peggie Hall Specializing in marine sanitation since 1987 Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and Other Sources of Aggravation and Odor" http://www.seaworthy.com/html/get_ri...oat_odors.html Hi Peggie, Well, if you've tried it, you know that it won't filter everything. In fact, it only filters Swen. Unfortunately, it doesn't work on all of them, but here it gets about 98%. The reason I use a filter rather than a blacklist is that this thing is temporary (at least I hope it is) and it is constantly changing. You can have the filter add the address to the blacklist if you like, but I doubt it will help much. As for how it works, first I have to say that it isn't my work - I learned of it from Ralph Fox on alt.usenet.offline-reader.forte-agent. Basically, what he (or someone else) did was to note that all of the Swen posts were coded as having a content type of either multipart/alternative or multipart/mixed. The second thing is that their boundary is always specified as multi-character string of two or more characters. The two regex expressions in the filters - Note: you must couple the two rules with an "and" - handles this. Hope this helps. If not, ask away. -- Larry email is rapp at lmr dot com |
#20
|
|||
|
|||
Virus Update- Is your name on the list?
Hmmm...methinks you may be doing it the hard way.
I got the same virus email...sender's address was @ms.com. That's not a legitimate address for anyone who'd be sending me mail...and, it's on the SpamCop list...AND--Microsoft doesn't send emails unless you've subscribed to their update alerts. So, I blacklisted *ms.com and haven't seen a one since then. No need to filter the subject line or anything...ALL mail from any sender using an @ms.com address is automatically deleted and bounced back as undeliverable to my address. I suspect you rely much more on filters than on the blacklist....I did too when I first installed Mailwasher...till I figured out how to use the blacklist. Once I figured it out--which was about a year ago--I deleted almost all the filters...only have 4 left, and they only mark for delete, nothing else. Everything else goes on the blacklist, 99% of which is wildcard expressions. Mailwasher purges any that haven't been used in a preset number of days...the default is 200 days...I reduced it to 90, figuring that's about as a long as spammers and virus propagators ever use the same one. About once a week I go into it and edit spammers' email addresses to wildcards...and so far, it's working...I'm only actually seeing about 5 emails a day that aren't legitimate, and I get to blacklist those. So if you haven't, you might spend some time exploring how the blacklist actually works--how to turn email addresses into wildcard expressions. 'Cuz they really cut down on the number of filters needed. In fact, the only thing I use filters for is to screen the headers on the email lists I'm subscribed to, so I only downoad the topics I want to participate in. The rest, I just leave marked for delete--not blacklisted, not bounced...just deleted off the server. Peggie ---------- Peggie Hall Specializing in marine sanitation since 1987 Author "Get Rid of Boat Odors - A Guide To Marine Sanitation Systems and Other Sources of Aggravation and Odor" http://shop.sailboatowners.com/detai...=400&group=327 http://www.seaworthy.com/html/get_ri...oat_odors.html |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Virus alert-UPDATE | General | |||
Virus Alert- email from rec.boats | General | |||
ST. Johns River and ICW Update | General |