"Microsoft" Spam Attack--Help!

Might be a good idea if savvy users posted their own solutions here
(if any!) for the current Microsoft, admin, security, undelivered
mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
up repeatedly and is rejecting legitimate messages. Is there a way
out, short of changing email address? Or will we all have to give up
the Internet?

Art

Art

On Sun, 21 Sep 2003 06:39:38 GMT, (Art) wrote:

>Might be a good idea if savvy users posted their own solutions here

we already have.
--
Jim Watt http://www.gibnet.com

Jim Watt

On Sun, 21 Sep 2003 06:39:38 GMT, (Art) wrote:

>Might be a good idea if savvy users posted their own solutions here
>(if any!) for the current Microsoft, admin, security, undelivered
>mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
>up repeatedly and is rejecting legitimate messages. Is there a way
>out, short of changing email address? Or will we all have to give up
>the Internet?
>
>Art

Set up email filters for the problem.

Reject anything over 135kb.
Filter keywords "September 2003", and "Cumulative Patch".
It would also be beneficial to remove your valid email address from
your header information. Mung it somhow so that bots can't process it
but humans can still tell what it is... or mung it so that you remain
private, your choice.
HTH

Astaroth

Astaroth <> wrote before:

>Reject anything over 135kb.

It would help, but it would also reject things you might have wanted
to pass.

>Filter keywords "September 2003", and "Cumulative Patch".

"September 2003" is not contained in every of those mails, so leave it
to "Cumulative Patch"

>It would also be beneficial to remove your valid email address from
>your header information. Mung it somhow so that bots can't process it
>but humans can still tell what it is... or mung it so that you remain
>private, your choice.

In the german newsgroups we seem to have figured out that a _valid_
address containing the string "spam" will be ignored by the worm.
However, it is not really acknowledged yet that this is truly the
case.

If you have to pay for your internet connection per traffic or per
time it is a good idea to do some filtering already on the mailserver
before you start to download your mails.

Here is my pop3 filter for Pegasus Mail V4.12a :

---------
pop3
If expression both matches "*cumulative patch*" DeleteOnServer ""
If expression both matches "*cumulative patch*" Exit ""
If expression both matches "*undeliver*" DeleteOnServer ""
If expression both matches "*undeliver*" Exit ""
---------

The first one looks for those faked MS patches and the second one
takes care of those faked undeliverable messages containing the worm
too.
None of those mails were downloaded since 14 hours now.

regards
André

=?ISO-8859-1?Q?Andr=E9_Franke?=

(Art) wrote in news:3f6d4653.1973608
@news.la.sbcglobal.net:

> Might be a good idea if savvy users posted their own solutions here
> (if any!) for the current Microsoft, admin, security, undelivered
> mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
> up repeatedly and is rejecting legitimate messages. Is there a way
> out, short of changing email address? Or will we all have to give up
> the Internet?
>
> Art

All of mine show up only on my hotmail account (the one used only for
Usenet posts). Still, you can set filters on the following conditions
(which I have found in all the malware messages):

Contains the phrase "cumulative patch"
OR
Contains the phrase "undeliverable" AND
Contains a audio/x-wav mime component AND
The filename ends in ".exe"

Most messages are not addressed to you, but that is not a given.

The attachment mime type is also being altered so you want to watch that.
The patch files appear to be using the application/x-msdownload mime
type. That's probably a safe bet to filter on since you likely will
never receive that mime type in a legit message.

You can ask your ISP if they will start scanning email for malware, but
they may not feel obligated.

You can ask if they will start filtering based on the various block lists
since most of these messages originate either from open relays or from
compromised home users.

If you do not have a shell account with your ISP, you can ask if they
will allow you to upload (via FTP) a forward file and procmail receipe so
you don't need to download the malware to filter it. If they will allow
that, then check any of the numerous resources on how to write a procmail
filter receipe.

n1pop@hotmail.com

On 21 Sep 2003 15:50:40 GMT, wrote:

>All of mine show up only on my hotmail account (the one used only for
>Usenet posts). Still, you can set filters on the following conditions
>(which I have found in all the malware messages):
>
> Contains the phrase "cumulative patch"
>OR
> Contains the phrase "undeliverable" AND
> Contains a audio/x-wav mime component AND
> The filename ends in ".exe"
>
>Most messages are not addressed to you, but that is not a given.
>
>The attachment mime type is also being altered so you want to watch that.
>The patch files appear to be using the application/x-msdownload mime
>type. That's probably a safe bet to filter on since you likely will
>never receive that mime type in a legit message.
>
>You can ask your ISP if they will start scanning email for malware, but
>they may not feel obligated.
>
>You can ask if they will start filtering based on the various block lists
>since most of these messages originate either from open relays or from
>compromised home users.
>
>If you do not have a shell account with your ISP, you can ask if they
>will allow you to upload (via FTP) a forward file and procmail receipe so
>you don't need to download the malware to filter it. If they will allow
>that, then check any of the numerous resources on how to write a procmail
>filter receipe.

Thanks to all responders to date for these instructions (I don't know
the abbreviation for "I'm not being sarcastic.")

A comment about filters: this particular Swen attack is, as most of us
victims recognize, hard to deal with via filters because the senders,
subjects, etc., are apparently infinitely varied around a few main
topics. If you create a whole bunch of detailed filters you might
successfully filter out, say, 75% of the next batch of spams. But
your inbox (no matter how big) will still fill up with others that
evade the filters. I'll add "cumulative patch" and see what that
does. Have never encountered a virus with such huge volume capacity
before--hundreds at a time, and not necessarily to my email address,
but there they are anyway.

Art

Art

(Art) wrote in
news::

> Might be a good idea if savvy users posted their own solutions here
> (if any!) for the current Microsoft, admin, security, undelivered
> mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
> up repeatedly and is rejecting legitimate messages. Is there a way
> out, short of changing email address? Or will we all have to give up
> the Internet?
>
> Art

I haven't received a single one. Whatever I'm doing must be working.

donut

"donut" <> schreef in bericht
news:Xns93FD6EA66602Edonut@216.102.43.227...
> (Art) wrote in
> news::
>
> > Might be a good idea if savvy users posted their own solutions here
> > (if any!) for the current Microsoft, admin, security, undelivered
> > mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
> > up repeatedly and is rejecting legitimate messages. Is there a way
> > out, short of changing email address? Or will we all have to give up
> > the Internet?
> >
> > Art
>
> I haven't received a single one. Whatever I'm doing must be working.

Let me guess: you post in newsgroups with a nonsense e-mail adres
(like me: did not get a single one either)

gr, hwh

hwh

"hwh" <> wrote in message
news:3f6debf8$0$58713$...
>
> "donut" <> schreef in bericht
> news:Xns93FD6EA66602Edonut@216.102.43.227...
> > (Art) wrote in
> > news::
> >
> > > Might be a good idea if savvy users posted their own solutions here
> > > (if any!) for the current Microsoft, admin, security, undelivered
> > > mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
> > > up repeatedly and is rejecting legitimate messages. Is there a way
> > > out, short of changing email address? Or will we all have to give up
> > > the Internet?
I have had very good luck with the K9 Bayrsian Spam Filter
http://keir.net/k9.html

The following chart reflects my filter effeciency for 73 and 21 days.
It's filyering 3 e-mail accounts at present.
Regards,
Chris


Column 1: Since 9/3/2003 1:04:29 PM (21 days)
Column 2: Since 7/13/2003 8:24:55 AM (73 days)

#1 #2
Total number of emails processed
731 2,211
Number of Good emails processed
250 799
Number of Spam emails processed
481 1,412
Percentage of emails that matched whitelist rules 7.8%
8.8%
Percentage of emails that matched blacklist rules 0.0%
0.0%
Number of emails re-classified to Good
2 19
Number of emails re-classified to Spam
1 7
Percentage emails misidentified as Spam (false positives) 0.3% 0.9%
Percentage emails misidentified as Good (false negatives) 0.1% 0.3%
Overall accuracy
99.6% 98.8%

Chris S.

On Wed, 24 Sep 2003 20:00:09 GMT, "Chris S."
<> wrote:

>Total number of emails processed
>731 2,211
>Number of Good emails processed
>250 799
>Number of Spam emails processed
>481 1,412
>Percentage of emails that matched whitelist rules 7.8%

Hmmmm mine is around 40 spams to 1 real msg
>8.8%
>Percentage of emails that matched blacklist rules 0.0%
>0.0%
>Number of emails re-classified to Good
>2 19
>Number of emails re-classified to Spam
>1 7
>Percentage emails misidentified as Spam (false positives) 0.3% 0.9%
>Percentage emails misidentified as Good (false negatives) 0.1% 0.3%
>Overall accuracy
>99.6% 98.8%
>

--
Jim Watt http://www.gibnet.com

Jim Watt