On 24 Oct 2003 03:55:45 GMT, <> wrote:
>What the hell is going on with all this "Microshit" spam and bullshit attachments
>and why the hell isn't Microsoft doing something about it.
>
>I have to get myself a new email address every few weeks because my mailboxes
>are overflowing with Micros**t spam and attachments.
>
>Microsoft won't have a single customer left if they don't act soon.
It's from a worm called Swen. It's out there (and hitting you)
because of clueless computer owners.
Most advice will tell you to filter the sh!t. Or just hit delete.
Neither solution will stop it.
The only way to stop Swen spam is to report the infected computers.
Swen has been known for so long that most anybody who knows anything
about computers is protected against it. The only ones left with
infected computers are the truly clueless. They will never fix their
computers on their own.
I started reporting each Swen email several weeks ago, when I was
getting 75 - 100 / day. This was a fscking nuisance, but I have
gotten none for the past week - all the computers that were hitting me
have either been taken offline or cleaned. You need to report each
infection as soon as you can; each email you're getting is also going
to somebody else who may become infected and make the problem worse.
There is one and only one valid way to identify the reporting address
for the infected computer, which requires that you examine the
headers. Here is an example:
####### Start Example #######
Return-Path: <>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id
h95L6baQ017487
for <>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
for <>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
)
Message-ID: <> (added by
)
FROM: "Security Division" <>
TO: "Commercial Customer" <>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0
tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HT ML_NO_CHARSET,
MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
Microsoft Customer
this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH
####### End Example #######
The infected computer, in the example, is adqy (62.11.181.97).
10/6/2003 10:08:03 whois -h whois.ripe.net 62.11.181.97
remarks: | PLEASE CONTACT OUR ABUSE DIVISION () |
remarks: | FOR ABUSE and-or SPAM COMPLAINTS. |
Send this complaint, with full headers, to
.
There are any number of online whois lookup tools. I use All-NetTools
(
http://www.all-nettools.com/tools1.htm ) and Broadband Reports (
http://www.dslreports.com/whois ).
Also, there are several tools which you can install. I use Sam Spade
(
http://www.samspade.org/ssw/ ) and TESP ABouncer (
http://www.tesp.com/abounce/ ). Both contain whois and other tools,
and both help you format and send the complaint.
Any reports you send need to be very objective; I have learned from
others that subjective, whiny complaints do not result in 100%
success. My reports did.
Using TESP, I wrote and emailed a report (for this example) as
follows:
To:
R33437 UBE from your network, containing virus: "Latest Network
Security Pack"
The attached Unsolicited Bulk Email (UBE) "Latest Network Security
Pack", which appears to contain copies of the Swen (Gibe) virus,
appears to originate from your network. Please take appropriate
action.
- - - - - - - - Begin Attached Message - - - - - - - -
Return-Path: <>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id h95L6baQ017487
for <>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
for <>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
)
Message-ID: <(added by
)
FROM: "Security Division" <>
TO: "Commercial Customer" <>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0
tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HT ML_NO_CHARSET,
MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
Microsoft Customer
this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH
Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.
Similar Threads
