Is SWEN back?
I hadn't seen any SWEN in months, so I slipped up and posted a few messages to the list using my regular account (instead of this HOTMAIL account set up only for posting to debian-user and receiving all of my SWEN). Yesterday, I received what looked like a SWEN e-mail. The subject was Security Update. The payload had already been stripped, so I don't know if the size matched SWEN, or not. Has anyone else started receiving SWEN again (or has it been out there all along, and I have just been lucky)? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is SWEN back?
on Mon, Apr 19, 2004 at 12:14:15PM -0400, Marc Shapiro ([EMAIL PROTECTED]) wrote: I hadn't seen any SWEN in months, Until I finally caved and activated my ISP's virus blocking/stripping solution (I'd rather just block the fsckers at SMTP time -- and *shock*, my ISP appears to be doing this at least sometime now), I was seeing perhaps 20-40 a day. Well down from peak. But not even hardly gone. Mostly coming from highly rfc-ignorant domains / ASNs. so I slipped up and posted a few messages to the list using my regular account (instead of this HOTMAIL account set up only for posting to debian-user and receiving all of my SWEN). Yesterday, I received what looked like a SWEN e-mail. The subject was Security Update. The payload had already been stripped, so I don't know if the size matched SWEN, or not. Has anyone else started receiving SWEN again (or has it been out there all along, and I have just been lucky)? There are numerous malware engines which scan recent Usenet posts (d-u is gatewayed to several groups) and will generate spam to people posting. While viruses don't _infect_ GNU/Linux systems, they do _affect_ them, and appropriate AV filtering of mail can be useful. Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Many hands make light work. signature.asc Description: Digital signature
Re: Is SWEN back?
Marc Shapiro wrote: I hadn't seen any SWEN in months, so I slipped up and posted a few messages to the list using my regular account (instead of this HOTMAIL account set up only for posting to debian-user and receiving all of my SWEN). Yesterday, I received what looked like a SWEN e-mail. The subject was Security Update. The payload had already been stripped, so I don't know if the size matched SWEN, or not. Has anyone else started receiving SWEN again (or has it been out there all along, and I have just been lucky)? You've been lucky. Regards, David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is SWEN back?
Marc Shapiro wrote: I hadn't seen any SWEN in months, so I slipped up and posted a few messages to the list using my regular account (instead of this HOTMAIL account set up only for posting to debian-user and receiving all of my SWEN). Yesterday, I received what looked like a SWEN e-mail. The subject was Security Update. The payload had already been stripped, so I don't know if the size matched SWEN, or not. Has anyone else started receiving SWEN again (or has it been out there all along, and I have just been lucky)? I ignorantly gave the good email address to a window$ user and sure enough, the 145K at a clip sven's are there now :-( Hugo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Is swen back?
Got 200 plus mail bombs in my pop3 account this morning. Luckily I used Kmail and filtered (deleted) every incoming message of size greater than 40Kb. Just wondering, is swen back from holiday? How you people managing? -- Alphonse Ogulla Nairobi, Kenya -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
Hello Alphonse Ogulla ([EMAIL PROTECTED]) wrote: Got 200 plus mail bombs in my pop3 account this morning. Luckily I used Kmail and filtered (deleted) every incoming message of size greater than 40Kb. Just wondering, is swen back from holiday? How you people managing? From my point of view, it looks like it never really went away. Over the last months, I get between 30 to 50 of this viruses, mostly swen, every day. Sometimes until the daily forwarding quota for my bigfoot account is exceeded. best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 Registered Linux User #267976 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
* Alphonse Ogulla [EMAIL PROTECTED] [2004-01-19 08:01]: Got 200 plus mail bombs in my pop3 account this morning. Luckily I used Kmail and filtered (deleted) every incoming message of size greater than 40Kb. Just wondering, is swen back from holiday? How you people managing? I have been getting hit again too. I assumed it was people that received computers for the holiday and were quickly infected. Lou Losee -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
Andreas Janssen writes: Alphonse Ogulla ([EMAIL PROTECTED]) wrote: Got 200 plus mail bombs in my pop3 account this morning. Luckily I used Kmail and filtered (deleted) every incoming message of size greater than 40Kb. Just wondering, is swen back from holiday? How you people managing? From my point of view, it looks like it never really went away. Over the last months, I get between 30 to 50 of this viruses, mostly swen, every day. Sometimes until the daily forwarding quota for my bigfoot account is exceeded. FYI, if you are running procmail in a shell account: :0 BD * ^(T(24gRXJ|V(oAAAI|pQAAI|psAAE|qQAAM))|(UEsDBBQ)) /dev/null in your ~/.procmailrc will catch most M$ executables in your e-mail and trash them. Be advised that if you expect executables in your e-mail, it will trash them too, as well as zipped files-so you would have to make a policy on that. John BTW, the recipe looks for the base64 encoded M$ executable header/loader information in the beginning of the file in the e-mail body. See /usr/share/misc/magic for particulars. -- John Conover, [EMAIL PROTECTED], http://www.johncon.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
On Mon, 19 Jan 2004 18:18:09 +0300, Alphonse Ogulla wrote: Got 200 plus mail bombs in my pop3 account this morning. Luckily I used Kmail and filtered (deleted) every incoming message of size greater than 40Kb. Just wondering, is swen back from holiday? How you people managing? I've been getting over a dozen a day for the last couple of months :( Most are undeliverable mail messages of one sort or another, with the occasional Microsoft Security Update thrown in. At least my ISP's virus scanning software removes the payloads. I am, perversely, relieved to see your post. I was beginning to think that it was just me. -- paul It is important to realize that any lock can be picked with a big enough hammer. -- Sun System Network Admin manual -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Jan 19, 2004 at 06:18:09PM +0300, Alphonse Ogulla wrote: Got 200 plus mail bombs in my pop3 account this morning. Do this to your mail server: http://ursine.ca/~baloo/clamd-exiscan.txt - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAC/bFUzgNqloQMwcRAoUQAKCmk+siD/IhcEBxhyeL4r8SrkJefwCfVAcy 2yrGRVYxKUKItNC1JuR+mWA= =77xe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
Hello John Conover ([EMAIL PROTECTED]) wrote: Andreas Janssen writes: Alphonse Ogulla ([EMAIL PROTECTED]) wrote: Got 200 plus mail bombs in my pop3 account this morning. Luckily I used Kmail and filtered (deleted) every incoming message of size greater than 40Kb. Just wondering, is swen back from holiday? How you people managing? From my point of view, it looks like it never really went away. Over the last months, I get between 30 to 50 of this viruses, mostly swen, every day. Sometimes until the daily forwarding quota for my bigfoot account is exceeded. FYI, if you are running procmail in a shell account: :0 BD * ^(T(24gRXJ|V(oAAAI|pQAAI|psAAE|qQAAM))|(UEsDBBQ)) /dev/null in your ~/.procmailrc will catch most M$ executables in your e-mail and trash them. [...] Thanks, but I am connected to the internet using an analog modem, so the way for me to get rid of them is deleting them on the server. I really don't want to download some MB of viruses every day only to delete them right afterwards :-) best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 Registered Linux User #267976 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
On Mon, 19 Jan 2004 17:50:12 +0100, Andreas Janssen wrote: Hello John Conover ([EMAIL PROTECTED]) wrote: Andreas Janssen writes: ... FYI, if you are running procmail in a shell account: :0 BD * ^(T(24gRXJ|V(oAAAI|pQAAI|psAAE|qQAAM))|(UEsDBBQ)) /dev/null in your ~/.procmailrc will catch most M$ executables in your e-mail and trash them. [...] Thanks, but I am connected to the internet using an analog modem, so the way for me to get rid of them is deleting them on the server. I really don't want to download some MB of viruses every day only to delete them right afterwards :-) mailfilter is good for filtering out swen and the like. I have set it to delete all messages over 146888K on this email account (this is not my main account, so I don't expect to receive large attachments here anyway). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
hi ya On Mon, 19 Jan 2004, Lou Losee wrote: * Alphonse Ogulla [EMAIL PROTECTED] [2004-01-19 08:01]: Got 200 plus mail bombs in my pop3 account this morning. Luckily I used Kmail and filtered (deleted) every incoming message of size greater than 40Kb. Just wondering, is swen back from holiday? How you people managing? I have been getting hit again too. I assumed it was people that received computers for the holiday and were quickly infected. i used to get several hundred a day ... now i get few-a-day for my daily dose and the amt hasnt changed in weeks ( since Nov 26 timeframe)... any that gets thru goes into /etc/mail/access http://www.Linux-Sec.net/Mail/SpamVirus/Sven/ ( sven comes from the same mis-managed servers ) - i/client wanted to know where its coming from .. vs just dropping um on the one email acct that sven liked: root# grep -i microsoft /var/log/maillog* | wc -l 353 root# grep -i microsoft /var/log.2003_Dec/maillog* | wc -l 421 root# grep -i microsoft /var/log.2003_Nov/maillog* | wc -l 803 root# grep -i microsoft /var/log.2003_Oct/maillog* | wc -l 2237 root# grep -i microsoft /var/log.2003_Sep/maillog* | wc -l 459 - its tolerable compared to the thousands of other real mail .. c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
Andreas Janssen([EMAIL PROTECTED]) is reported to have said: Hello John Conover ([EMAIL PROTECTED]) wrote: Andreas Janssen writes: Thanks, but I am connected to the internet using an analog modem, so the way for me to get rid of them is deleting them on the server. I really don't want to download some MB of viruses every day only to delete them right afterwards :-) best regards Andreas Janssen If your downloading from a pop3 server take a look at mailfilter. It deletes mail at the server. I haven't seen any swen stuff since installing and configuring it. HTH=Hope This Helps, YMMV=Your Mileage May Vary, HAND=Have A Nice Day Wayne -- What this country needs is a good five cent microcomputer. ___ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Jan 19, 2004 at 04:52:54PM +0100, Andreas Janssen wrote: Thanks, but I am connected to the internet using an analog modem, so the way for me to get rid of them is deleting them on the server. You're on a dialup ISP and they don't offer a shell account for you to use procmail with? Go find a smaller, more clueful ISP. 8:o) - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFADINRUzgNqloQMwcRArhzAKCXsURJtlq7LJzyy08SF5PUnb1RTACfUXEt rAshfS38rHHBws8nsF0clKA= =1L0n -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
On Mon, Jan 19, 2004 at 06:16:02PM +, duck wrote: Thanks, but I am connected to the internet using an analog modem, so the way for me to get rid of them is deleting them on the server. I really don't want to download some MB of viruses every day only to delete them right afterwards :-) mailfilter is good for filtering out swen and the like. I have set it to delete all messages over 146888K on this email account (this is not my main account, so I don't expect to receive large attachments here anyway). My preferred mailfilter rules (for this mailing list only): DENY^X-Mailing-List:[EMAIL PROTECTED] DENY=^Content-Type:.*text/html DENY=^Subject:.subscribe DENY=^Subject:.unsubscribe regards -- Wilko Fokken Education is a man's going Landschaftspolder 67 from cocksure ignorance D-26831 Dollartto thoughtful uncertainty. Tel. 04953-382 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is swen back?
On Tue, Jan 20, 2004 at 06:40:58AM +0100, Wilko Fokken wrote: DENY^X-Mailing-List:[EMAIL PROTECTED] DENY=^Content-Type:.*text/html DENY=^Subject:.subscribe DENY=^Subject:.unsubscribe That looks like a remarkable sensible set of rules. What's your false positive/negative hit rate? It should be perfect. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]