[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1064415589.15384.15.camel@parker>
From: evan.borgstrom at ca.mci.com (Evan Borgstrom)
Subject: Swen Really Sucks
http://tmda.sourceforge.net
Blacklist centric message system.
I haven't seen a single swen message yet. It doesn't solve the bandwidth
problem but at least it solves the problem of the messages appearing in
your inbox.
On Wed, 2003-09-24 at 03:29, Peter Busser wrote:
> Hi!
>
> > Therefore, no IP, e-mail, or domain filter will solve the problem
> > completely without filtering every single possible permutation of From:
> > address that the virus spits out...
>
> I use several procmail rules to filter out domains (microsoft.com, msdn.com,
> etc.) in From: and From, To: (e.g. microsoft.com) and certain words in the
> subject (e.g. Microsoft). Since the virus depends on looking like an authentic
> message, it can't do too much randomisation of the domains and subject lines.
> Of course the filtering is not perfect, but it still reduces the number of
> virus messages hitting the inbox.
>
> Removing messages with an executable attachment will also help of course.
> Except with the messages sent to mailing lists that remove attachments
> alltogether.
>
> > and using the "From" address rather than
> > the "From:" address for the filter doesn't work, either, because the "From"
> > address appears to be a different non-randomized e-mail address, possibly the
> > real e-mail address of the infected victim (? haven't read any forensic
> > analysis on this point yet...)
>
> Does this imply that your e-mail filter does not understand regular
> expressions?
>
> Groetjes,
> Peter Busser
Powered by blists - more mailing lists