Since September 19, I have so far received almost 5,500 e-mail with the
W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch),
and I'm still receiving something about 100-150 every day.

Some time ago, I started to send abuse messages to the senders ISP.
However, I could have saved me the hard work of locating the infected
senders ISP, and instead sent an alert message directly to the infected
sender.

Here is a header sample from one of the latest Swen.A-infected e-mails I
have received:

From - Sat Oct 25 21:42:16 2003
Return-Path:
Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195])
by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Message-Id:
From: MS Net Email Delivery Service
To: Internet User
Subject: failure announcement

Both the "From:"-line and the "To:"-line contain fake e-mail addresses
(that is quite obvious).

However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address
found here is the _REAL_ e-mail address of the infected sender!

This is somewhat unlike other mass-mailing worms (e.g. Klez.H and
Sobig.F) that fake every single e-mail address in the header so it's
completly impossible to know the real sender without doing the trouble
to send an abuse through the senders ISP (if one is able to find out who
the senders ISP is).



Stig Arne Bye

E-mail ......:
Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349
Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway
Homepage ....: http://home.online.no/~stigbye/index.html
------------------------------------------------------------------------
Located just about 70°N 30°E - Almost at the top of the world!