"Microsoft" Spam Attack--Help!

Discussion in 'Computer Security' started by Art, Sep 21, 2003.

  1. Art

    Art Guest

    Might be a good idea if savvy users posted their own solutions here
    (if any!) for the current Microsoft, admin, security, undelivered
    mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    up repeatedly and is rejecting legitimate messages. Is there a way
    out, short of changing email address? Or will we all have to give up
    the Internet?

    Art
     
    Art, Sep 21, 2003
    #1
    1. Advertising

  2. Art

    Jim Watt Guest

    On Sun, 21 Sep 2003 06:39:38 GMT, (Art) wrote:

    >Might be a good idea if savvy users posted their own solutions here


    we already have.
    --
    Jim Watt http://www.gibnet.com
     
    Jim Watt, Sep 21, 2003
    #2
    1. Advertising

  3. Art

    Astaroth Guest

    On Sun, 21 Sep 2003 06:39:38 GMT, (Art) wrote:

    >Might be a good idea if savvy users posted their own solutions here
    >(if any!) for the current Microsoft, admin, security, undelivered
    >mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    >up repeatedly and is rejecting legitimate messages. Is there a way
    >out, short of changing email address? Or will we all have to give up
    >the Internet?
    >
    >Art


    Set up email filters for the problem.

    Reject anything over 135kb.
    Filter keywords "September 2003", and "Cumulative Patch".
    It would also be beneficial to remove your valid email address from
    your header information. Mung it somhow so that bots can't process it
    but humans can still tell what it is... or mung it so that you remain
    private, your choice.
    HTH
     
    Astaroth, Sep 21, 2003
    #3
  4. Astaroth <> wrote before:

    >Reject anything over 135kb.


    It would help, but it would also reject things you might have wanted
    to pass.

    >Filter keywords "September 2003", and "Cumulative Patch".


    "September 2003" is not contained in every of those mails, so leave it
    to "Cumulative Patch"

    >It would also be beneficial to remove your valid email address from
    >your header information. Mung it somhow so that bots can't process it
    >but humans can still tell what it is... or mung it so that you remain
    >private, your choice.


    In the german newsgroups we seem to have figured out that a _valid_
    address containing the string "spam" will be ignored by the worm.
    However, it is not really acknowledged yet that this is truly the
    case.

    If you have to pay for your internet connection per traffic or per
    time it is a good idea to do some filtering already on the mailserver
    before you start to download your mails.

    Here is my pop3 filter for Pegasus Mail V4.12a :

    ---------
    pop3
    If expression both matches "*cumulative patch*" DeleteOnServer ""
    If expression both matches "*cumulative patch*" Exit ""
    If expression both matches "*undeliver*" DeleteOnServer ""
    If expression both matches "*undeliver*" Exit ""
    ---------

    The first one looks for those faked MS patches and the second one
    takes care of those faked undeliverable messages containing the worm
    too.
    None of those mails were downloaded since 14 hours now.

    regards
    André
     
    =?ISO-8859-1?Q?Andr=E9_Franke?=, Sep 21, 2003
    #4
  5. Art

    Guest

    (Art) wrote in news:3f6d4653.1973608
    @news.la.sbcglobal.net:

    > Might be a good idea if savvy users posted their own solutions here
    > (if any!) for the current Microsoft, admin, security, undelivered
    > mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    > up repeatedly and is rejecting legitimate messages. Is there a way
    > out, short of changing email address? Or will we all have to give up
    > the Internet?
    >
    > Art


    All of mine show up only on my hotmail account (the one used only for
    Usenet posts). Still, you can set filters on the following conditions
    (which I have found in all the malware messages):

    Contains the phrase "cumulative patch"
    OR
    Contains the phrase "undeliverable" AND
    Contains a audio/x-wav mime component AND
    The filename ends in ".exe"

    Most messages are not addressed to you, but that is not a given.

    The attachment mime type is also being altered so you want to watch that.
    The patch files appear to be using the application/x-msdownload mime
    type. That's probably a safe bet to filter on since you likely will
    never receive that mime type in a legit message.

    You can ask your ISP if they will start scanning email for malware, but
    they may not feel obligated.

    You can ask if they will start filtering based on the various block lists
    since most of these messages originate either from open relays or from
    compromised home users.

    If you do not have a shell account with your ISP, you can ask if they
    will allow you to upload (via FTP) a forward file and procmail receipe so
    you don't need to download the malware to filter it. If they will allow
    that, then check any of the numerous resources on how to write a procmail
    filter receipe.
     
    , Sep 21, 2003
    #5
  6. Art

    Art Guest

    On 21 Sep 2003 15:50:40 GMT, wrote:

    >All of mine show up only on my hotmail account (the one used only for
    >Usenet posts). Still, you can set filters on the following conditions
    >(which I have found in all the malware messages):
    >
    > Contains the phrase "cumulative patch"
    >OR
    > Contains the phrase "undeliverable" AND
    > Contains a audio/x-wav mime component AND
    > The filename ends in ".exe"
    >
    >Most messages are not addressed to you, but that is not a given.
    >
    >The attachment mime type is also being altered so you want to watch that.
    >The patch files appear to be using the application/x-msdownload mime
    >type. That's probably a safe bet to filter on since you likely will
    >never receive that mime type in a legit message.
    >
    >You can ask your ISP if they will start scanning email for malware, but
    >they may not feel obligated.
    >
    >You can ask if they will start filtering based on the various block lists
    >since most of these messages originate either from open relays or from
    >compromised home users.
    >
    >If you do not have a shell account with your ISP, you can ask if they
    >will allow you to upload (via FTP) a forward file and procmail receipe so
    >you don't need to download the malware to filter it. If they will allow
    >that, then check any of the numerous resources on how to write a procmail
    >filter receipe.


    Thanks to all responders to date for these instructions (I don't know
    the abbreviation for "I'm not being sarcastic.")

    A comment about filters: this particular Swen attack is, as most of us
    victims recognize, hard to deal with via filters because the senders,
    subjects, etc., are apparently infinitely varied around a few main
    topics. If you create a whole bunch of detailed filters you might
    successfully filter out, say, 75% of the next batch of spams. But
    your inbox (no matter how big) will still fill up with others that
    evade the filters. I'll add "cumulative patch" and see what that
    does. Have never encountered a virus with such huge volume capacity
    before--hundreds at a time, and not necessarily to my email address,
    but there they are anyway.

    Art
     
    Art, Sep 21, 2003
    #6
  7. Art

    donut Guest

    (Art) wrote in
    news::

    > Might be a good idea if savvy users posted their own solutions here
    > (if any!) for the current Microsoft, admin, security, undelivered
    > mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    > up repeatedly and is rejecting legitimate messages. Is there a way
    > out, short of changing email address? Or will we all have to give up
    > the Internet?
    >
    > Art


    I haven't received a single one. Whatever I'm doing must be working. ;)
     
    donut, Sep 21, 2003
    #7
  8. Art

    hwh Guest

    "donut" <> schreef in bericht
    news:Xns93FD6EA66602Edonut@216.102.43.227...
    > (Art) wrote in
    > news::
    >
    > > Might be a good idea if savvy users posted their own solutions here
    > > (if any!) for the current Microsoft, admin, security, undelivered
    > > mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    > > up repeatedly and is rejecting legitimate messages. Is there a way
    > > out, short of changing email address? Or will we all have to give up
    > > the Internet?
    > >
    > > Art

    >
    > I haven't received a single one. Whatever I'm doing must be working. ;)


    Let me guess: you post in newsgroups with a nonsense e-mail adres :)
    (like me: did not get a single one either)

    gr, hwh
     
    hwh, Sep 21, 2003
    #8
  9. Art

    Chris S. Guest

    "hwh" <> wrote in message
    news:3f6debf8$0$58713$4all.nl...
    >
    > "donut" <> schreef in bericht
    > news:Xns93FD6EA66602Edonut@216.102.43.227...
    > > (Art) wrote in
    > > news::
    > >
    > > > Might be a good idea if savvy users posted their own solutions here
    > > > (if any!) for the current Microsoft, admin, security, undelivered
    > > > mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    > > > up repeatedly and is rejecting legitimate messages. Is there a way
    > > > out, short of changing email address? Or will we all have to give up
    > > > the Internet?

    I have had very good luck with the K9 Bayrsian Spam Filter
    http://keir.net/k9.html

    The following chart reflects my filter effeciency for 73 and 21 days.
    It's filyering 3 e-mail accounts at present.
    Regards,
    Chris


    Column 1: Since 9/3/2003 1:04:29 PM (21 days)
    Column 2: Since 7/13/2003 8:24:55 AM (73 days)

    #1 #2
    Total number of emails processed
    731 2,211
    Number of Good emails processed
    250 799
    Number of Spam emails processed
    481 1,412
    Percentage of emails that matched whitelist rules 7.8%
    8.8%
    Percentage of emails that matched blacklist rules 0.0%
    0.0%
    Number of emails re-classified to Good
    2 19
    Number of emails re-classified to Spam
    1 7
    Percentage emails misidentified as Spam (false positives) 0.3% 0.9%
    Percentage emails misidentified as Good (false negatives) 0.1% 0.3%
    Overall accuracy
    99.6% 98.8%
     
    Chris S., Sep 24, 2003
    #9
  10. Art

    Jim Watt Guest

    On Wed, 24 Sep 2003 20:00:09 GMT, "Chris S."
    <> wrote:

    >Total number of emails processed
    >731 2,211
    >Number of Good emails processed
    >250 799
    >Number of Spam emails processed
    >481 1,412
    >Percentage of emails that matched whitelist rules 7.8%


    Hmmmm mine is around 40 spams to 1 real msg
    >8.8%
    >Percentage of emails that matched blacklist rules 0.0%
    >0.0%
    >Number of emails re-classified to Good
    >2 19
    >Number of emails re-classified to Spam
    >1 7
    >Percentage emails misidentified as Spam (false positives) 0.3% 0.9%
    >Percentage emails misidentified as Good (false negatives) 0.1% 0.3%
    >Overall accuracy
    >99.6% 98.8%
    >


    --
    Jim Watt http://www.gibnet.com
     
    Jim Watt, Sep 24, 2003
    #10
  11. >>> Might be a good idea if savvy users posted their own solutions here
    >>> (if any!) for the current Microsoft, admin, security, undelivered
    >>> mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    >>> up repeatedly and is rejecting legitimate messages. Is there a way
    >>> out, short of changing email address? Or will we all have to give up
    >>> the Internet?
    >>>
    >>> Art


    Yeah, I want revenge. I used to be such a nice guy before this happened. :)

    >>
    >> I haven't received a single one. Whatever I'm doing must be working. ;)

    >
    > Let me guess: you post in newsgroups with a nonsense e-mail adres :)
    > (like me: did not get a single one either)
    >
    > gr, hwh


    Good plan. I was not thorough enough doing that, and now I get as much as
    300 spams a day.

    Earthlink's built-in spam tools help a lot though. (Still, I wish somebody
    would find these people and do a denial-of-service attack on them.)


    Aaron
     
    Neowulf (Aaron VonDerheide), Oct 6, 2003
    #11
  12. Art

    Leythos Guest

    In article <1bvo7nwa5h7bo$.1opugnz0s7jj0$>, avonder1
    @earthlink.net.NOSPAM says...
    > >> I haven't received a single one. Whatever I'm doing must be working. ;)

    > >
    > > Let me guess: you post in newsgroups with a nonsense e-mail adres :)
    > > (like me: did not get a single one either)

    > Good plan. I was not thorough enough doing that, and now I get as much as
    > 300 spams a day.
    >
    > Earthlink's built-in spam tools help a lot though. (Still, I wish somebody
    > would find these people and do a denial-of-service attack on them.)


    They are sending them to more than usenet accounts - I've not seen one
    come to my account I use for usenet, but there appears to be a simple
    engine that sends them to administrator or abuse or postmaster at
    company accounts.

    With our mail server I seen about 10 in the last couple weeks, the spam
    filter catches them, and the firewall removes the attachment.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Oct 6, 2003
    #12
  13. Art

    Jeff Guest

    On Mon, 06 Oct 2003 15:57:35 +0000, Neowulf (Aaron VonDerheide) wrote:

    >>>> Might be a good idea if savvy users posted their own solutions here
    >>>> (if any!) for the current Microsoft, admin, security, undelivered
    >>>> mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    >>>> up repeatedly and is rejecting legitimate messages. Is there a way
    >>>> out, short of changing email address? Or will we all have to give up
    >>>> the Internet?
    >>>>
    >>>> Art

    >
    > Yeah, I want revenge. I used to be such a nice guy before this happened. :)
    >
    >>>
    >>> I haven't received a single one. Whatever I'm doing must be working. ;)

    >>
    >> Let me guess: you post in newsgroups with a nonsense e-mail adres :)
    >> (like me: did not get a single one either)
    >>
    >> gr, hwh

    >
    > Good plan. I was not thorough enough doing that, and now I get as much as
    > 300 spams a day.
    >
    > Earthlink's built-in spam tools help a lot though. (Still, I wish somebody
    > would find these people and do a denial-of-service attack on them.)
    >
    >
    > Aaron

    Maybe if everyone forwarded all of them to Microsoft then they would be
    a bit more motivated to fix their software. :)
     
    Jeff, Oct 7, 2003
    #13
  14. Art

    MI6 U2 Guest

    There's a virus out also 28KB t
    oo besides the 150 ones
    "Astaroth" <> wrote in message
    news:3klqmv0f0sbb0hhcsk8hpg7p14gnfrc1ti@hades...
    > On Sun, 21 Sep 2003 06:39:38 GMT, (Art) wrote:
    >
    > >Might be a good idea if savvy users posted their own solutions here
    > >(if any!) for the current Microsoft, admin, security, undelivered
    > >mail, network, etc., etc., virus siege. My ISP mail inbox gets filled
    > >up repeatedly and is rejecting legitimate messages. Is there a way
    > >out, short of changing email address? Or will we all have to give up
    > >the Internet?
    > >
    > >Art

    >
    > Set up email filters for the problem.
    >
    > Reject anything over 135kb.
    > Filter keywords "September 2003", and "Cumulative Patch".
    > It would also be beneficial to remove your valid email address from
    > your header information. Mung it somhow so that bots can't process it
    > but humans can still tell what it is... or mung it so that you remain
    > private, your choice.
    > HTH
     
    MI6 U2, Nov 19, 2003
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. lee

    Spam attack

    lee, Sep 20, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    646
    Hans van Soest
    Sep 20, 2003
  2. Matthew Lancaster

    Spam Attack

    Matthew Lancaster, Sep 20, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    536
    Matthew Lancaster
    Sep 28, 2003
  3. C A Preston

    Spam-Spam and more Spam

    C A Preston, Apr 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    786
    Hywel
    Apr 12, 2004
  4. dorothy.bradbury
    Replies:
    15
    Views:
    1,085
    dorothy.bradbury
    Jul 21, 2003
  5. Clwddncr
    Replies:
    6
    Views:
    854
    Dave - Dave.net.nz
    Feb 7, 2005
Loading...

Share This Page