[SWEN tiny FAQ] How to filter Swen mails with M$OE 6

Discussion in 'Computer Security' started by Thore Schmechtig, Sep 25, 2003.

  1. Greetings,

    since Swen.A first appeared in the wild around September 18th 2003,
    many people have asked how to filter the emails Swen wildly sends to
    just about everyone who ever posted in any newsgroup. It's a bit
    tricky, at first glance it seems impossible, but it can be done.

    Here's how.

    Swen emails unfortunately differ in From-, To- and Subject-field, but
    you will always find your own valid email-address in the
    Envelope-to-field of the email's header. OE unfortunately is unable to
    filter emails by the Envelope-to-content, but this doesn't matter. If
    you read the above carefully you see that:

    Every email that arrives in your inbox and does NOT have your valid
    email address in the To- or CC-field is almost guaranteed to be a
    Swen-mail (exceptions see below).

    To filter them out, do the following (tested with OE 6, earlier
    versions may need a slightly different process):



    *** BEGIN ***



    (Thanks to Phil who helped me with using the correct English names as I
    use the German version of OE - the following is a quote from his email)

    Open the email rules: Tools\Message Rules\Mail

    Create a new rule.

    In the first window (Select the conditions for your rule) select the
    following:
    -Where the To line contains people
    -Where the CC line contains people

    In the second window (Select the Actions for your rule) select the
    following:
    -Delete it from server

    In the third window (Rule Description...)
    -Click on "contains people" and enter your email address, then click on
    "Add"
    -Your email has now been added, select the email address and click on
    "Options"
    -Select the second radio button "Message does not contain the people
    below"
    then "OK" to close.

    (end quote from Phil)



    *** END ***



    Presto - you're done! OE will still have to download the _header_ data,
    but not the message body with its 150K worm executable. Ergo you have
    much less problems.

    NOTE THE FOLLOWING:

    Mailing lists - at least all lists I know - use a very similar
    procedure to send their contents to you, inserting your valid address
    in the Envelope-to-field and the basic email address of the list in the
    To-field, along with usually adding a list-typical string to the
    subject. Obviously this will create false positives with the
    above-mentioned email rule that would delete the list messages along
    with Swen.
    Therefore, if you participate in mailing lists, I suggest you do the
    following:



    *** BEGIN ***



    If you haven't done so until now, create an extra folder for each of
    your lists.

    Create one email rule for each of your lists with the following:

    Subject contains the list-typical string, To-field contains the basic
    list email address
    Actions to take: Move to the folder created for that list, do not
    process any more rules for that mail.

    Move all these rules to somewhere ABOVE the rule that deletes
    Swen-mails from the server.

    (For the details on doing all this, see the description of the
    Swen-filtering rule above)



    *** END ***



    That way, your mailing list messages will be moved to their own folders
    while the pesky Swen mails will die while still on your provider's
    server.

    Hope to have helped...

    Tocis (commoner AT carcosa DOT de)
    To reply, include HI-AK 523 in the subject or else your mail will be
    deleted!
     
    Thore Schmechtig, Sep 25, 2003
    #1
    1. Advertising

  2. Thore Schmechtig

    Bill Guest

    On Thu, 25 Sep 2003 14:40:16 +0200, "Thore Schmechtig"
    <> wrote:

    >Every email that arrives in your inbox and does NOT have your valid
    >email address in the To- or CC-field is almost guaranteed to be a
    >Swen-mail (exceptions see below).



    I pointed that out a couple of days ago and someone ( I don't remember
    who) indicated that it doesn'twork, which is nonsense as it has
    eliminated 100% of Swen from my mailbox. However, I am filtering at
    the server level which means I don't have to download them to keep
    them from filling up my message queue. Yes, it does work and it
    doesn't delete legitimate mail from individuals. Incidently, whe
    dropping my filter for a few hours to test I have noticed a sizable
    decrease in Swen mail. Only 75 in an 8 hour period.
     
    Bill, Sep 25, 2003
    #2
    1. Advertising

  3. Thore Schmechtig

    John Guest

    Bill,

    I don't fully understand what you mean by "I am filtering at the server
    level" or how one does that. There have been some posts that say OE has to
    download the e-mail before it can take action. Could you explain how you
    have your OE filter set up? Thanks!

    --
    John
    If you Reply, be sure and remove the " (DELETE_THIS) " from the email
    address.


    "Bill" <> wrote in message
    news:...
    > On Thu, 25 Sep 2003 14:40:16 +0200, "Thore Schmechtig"
    > <> wrote:
    >
    > >Every email that arrives in your inbox and does NOT have your valid
    > >email address in the To- or CC-field is almost guaranteed to be a
    > >Swen-mail (exceptions see below).

    >
    >
    > I pointed that out a couple of days ago and someone ( I don't remember
    > who) indicated that it doesn'twork, which is nonsense as it has
    > eliminated 100% of Swen from my mailbox. However, I am filtering at
    > the server level which means I don't have to download them to keep
    > them from filling up my message queue. Yes, it does work and it
    > doesn't delete legitimate mail from individuals. Incidently, whe
    > dropping my filter for a few hours to test I have noticed a sizable
    > decrease in Swen mail. Only 75 in an 8 hour period.
     
    John, Sep 25, 2003
    #3
  4. Thore Schmechtig

    Bill Guest

    On Thu, 25 Sep 2003 09:07:09 -0400, "John"
    <mooresjc@charter(DELETE_THIS)mi.net> wrote:

    >I don't fully understand what you mean by "I am filtering at the server
    >level" or how one does that.



    Some ISP's and/or email services have filters on the server that users
    can adjust to their own needs, which means you don't have to download
    junk. The mail is filtered before it ever gets to OE.
     
    Bill, Sep 25, 2003
    #4
  5. Thore Schmechtig

    John Coutts Guest

    In article <>,
    mooresjc@charterDELETE_THISmi.net says...
    >
    >Bill,
    >
    >I don't fully understand what you mean by "I am filtering at the server
    >level" or how one does that. There have been some posts that say OE has to
    >download the e-mail before it can take action. Could you explain how you
    >have your OE filter set up? Thanks!
    >
    >--
    >John

    ****************** REPLY SEPARATER *********************
    You don't use OE to filter at the server level. Our filtering service was smart
    enough to detect the first few as "New Worm", and it quarantines virus and Spam
    before it even gets to our server. My own account is over 4000 Swen virus's and
    counting (about 30 an hour). I did however have to turn the notification
    function off, and the filtering service allows me to delete 1000 quarantined
    items at a time.
     
    John Coutts, Sep 25, 2003
    #5
  6. Thore Schmechtig

    Marc Guest

    Hi Thore,

    When I do as you suggest, I get the following new rule...

    "Where the To line does not contain (my email address) and where the CC line
    contains people, delete it from server"

    But won't this rule delete all mail on which I am a CC recipient? That would
    seem to include a lot of valid email, as I am often CC'd on mail to others.

    Or am I missing something?
     
    Marc, Sep 25, 2003
    #6
  7. Thore Schmechtig

    YO Guest

    It works!! it works!!
    Thank you !! Thank you!!
    "Thore Schmechtig" <> wrote in message
    news:bkunnu$61jqd$-berlin.de...
    > Greetings,
    >
    > since Swen.A first appeared in the wild around September 18th 2003,
    > many people have asked how to filter the emails Swen wildly sends to
    > just about everyone who ever posted in any newsgroup. It's a bit
    > tricky, at first glance it seems impossible, but it can be done.
    >
    > Here's how.
    >
    > Swen emails unfortunately differ in From-, To- and Subject-field, but
    > you will always find your own valid email-address in the
    > Envelope-to-field of the email's header. OE unfortunately is unable to
    > filter emails by the Envelope-to-content, but this doesn't matter. If
    > you read the above carefully you see that:
    >
    > Every email that arrives in your inbox and does NOT have your valid
    > email address in the To- or CC-field is almost guaranteed to be a
    > Swen-mail (exceptions see below).
    >
    > To filter them out, do the following (tested with OE 6, earlier
    > versions may need a slightly different process):
    >
    >
    >
    > *** BEGIN ***
    >
    >
    >
    > (Thanks to Phil who helped me with using the correct English names as I
    > use the German version of OE - the following is a quote from his email)
    >
    > Open the email rules: Tools\Message Rules\Mail
    >
    > Create a new rule.
    >
    > In the first window (Select the conditions for your rule) select the
    > following:
    > -Where the To line contains people
    > -Where the CC line contains people
    >
    > In the second window (Select the Actions for your rule) select the
    > following:
    > -Delete it from server
    >
    > In the third window (Rule Description...)
    > -Click on "contains people" and enter your email address, then click on
    > "Add"
    > -Your email has now been added, select the email address and click on
    > "Options"
    > -Select the second radio button "Message does not contain the people
    > below"
    > then "OK" to close.
    >
    > (end quote from Phil)
    >
    >
    >
    > *** END ***
    >
    >
    >
    > Presto - you're done! OE will still have to download the _header_ data,
    > but not the message body with its 150K worm executable. Ergo you have
    > much less problems.
    >
    > NOTE THE FOLLOWING:
    >
    > Mailing lists - at least all lists I know - use a very similar
    > procedure to send their contents to you, inserting your valid address
    > in the Envelope-to-field and the basic email address of the list in the
    > To-field, along with usually adding a list-typical string to the
    > subject. Obviously this will create false positives with the
    > above-mentioned email rule that would delete the list messages along
    > with Swen.
    > Therefore, if you participate in mailing lists, I suggest you do the
    > following:
    >
    >
    >
    > *** BEGIN ***
    >
    >
    >
    > If you haven't done so until now, create an extra folder for each of
    > your lists.
    >
    > Create one email rule for each of your lists with the following:
    >
    > Subject contains the list-typical string, To-field contains the basic
    > list email address
    > Actions to take: Move to the folder created for that list, do not
    > process any more rules for that mail.
    >
    > Move all these rules to somewhere ABOVE the rule that deletes
    > Swen-mails from the server.
    >
    > (For the details on doing all this, see the description of the
    > Swen-filtering rule above)
    >
    >
    >
    > *** END ***
    >
    >
    >
    > That way, your mailing list messages will be moved to their own folders
    > while the pesky Swen mails will die while still on your provider's
    > server.
    >
    > Hope to have helped...
    >
    > Tocis (commoner AT carcosa DOT de)
    > To reply, include HI-AK 523 in the subject or else your mail will be
    > deleted!
     
    YO, Sep 25, 2003
    #7
  8. Thore Schmechtig

    Bill ® Guest

    On Thu, 25 Sep 2003 11:20:25 -0400, "Marc" <> wrote:

    >
    >But won't this rule delete all mail on which I am a CC recipient? That would
    >seem to include a lot of valid email, as I am often CC'd on mail to others.



    I use the filter of if the mail doesn't specifically include my
    address in the TO: or CC: fields delete it. It works.
     
    Bill ®, Sep 25, 2003
    #8
  9. On Thu, 25 Sep 2003 11:20:25 -0400, "Marc" <> wrote:

    >Hi Thore,
    >
    >When I do as you suggest, I get the following new rule...
    >
    >"Where the To line does not contain (my email address) and where the CC line
    >contains people, delete it from server"
    >
    >But won't this rule delete all mail on which I am a CC recipient? That would
    >seem to include a lot of valid email, as I am often CC'd on mail to others.
    >
    >Or am I missing something?


    No, you're not. I disagree with the advice you've been given and
    would not use this rule. I read a couple of mailing lists and my name
    does NOT always appear in the To or Cc header.

    Also, most of my friends who send jokes and interesting stuff use Bcc.


    --
    Steve M -
    remove wax for reply
     
    Steve M (remove wax for reply), Sep 25, 2003
    #9
  10. Thore Schmechtig

    Bill ® Guest

    On Thu, 25 Sep 2003 15:56:43 GMT, "Steve M (remove wax for reply)"
    <> wrote:

    >Also, most of my friends who send jokes and interesting stuff use Bcc.



    That's where personal preferences make the difference. I don't want to
    be on anyone's "bullshit mail list" and therefore certain rules work
    for me that may not for you.
     
    Bill ®, Sep 25, 2003
    #10
  11. In article <>, says...
    > Hi Thore,
    >
    > When I do as you suggest, I get the following new rule...
    >
    > "Where the To line does not contain (my email address) and where the CC line
    > contains people, delete it from server"
    >
    > But won't this rule delete all mail on which I am a CC recipient? That would
    > seem to include a lot of valid email, as I am often CC'd on mail to others.
    >
    > Or am I missing something?
    >


    No you're not missing a thing... Try this instead.

    "Where the To or CC line does not contain <your e-mail address> and
    Where the message has an attachment Delete it from server"

    That should take of the bulk of W32/Swen generated messages.
     
    Jeffrey A. Setaro, Sep 25, 2003
    #11
  12. Hi,

    > When I do as you suggest, I get the following new rule...
    > "Where the To line does not contain (my email address) and where the CC line
    > contains people, delete it from server"
    > But won't this rule delete all mail on which I am a CC recipient? That would
    > seem to include a lot of valid email, as I am often CC'd on mail to others.
    > Or am I missing something?


    Oops - maybe I missed something :)
    There is an option to set the condition "where To- AND CC-Field
    contain...". That's the best one to use ;)


    --
    Bye

    Tocis (commoner AT carcosa DOT de)
    Include HI-AK 523 in the subject or your email will be deleted!
     
    Thore Schmechtig, Sep 25, 2003
    #12
  13. Thore Schmechtig

    Adam Russell Guest

    "Steve M (remove wax for reply)" <> wrote in message
    news:...
    > On Thu, 25 Sep 2003 11:20:25 -0400, "Marc" <> wrote:
    >
    > >Hi Thore,
    > >
    > >When I do as you suggest, I get the following new rule...
    > >
    > >"Where the To line does not contain (my email address) and where the CC

    line
    > >contains people, delete it from server"
    > >
    > >But won't this rule delete all mail on which I am a CC recipient? That

    would
    > >seem to include a lot of valid email, as I am often CC'd on mail to

    others.
    > >
    > >Or am I missing something?

    >
    > No, you're not. I disagree with the advice you've been given and
    > would not use this rule. I read a couple of mailing lists and my name
    > does NOT always appear in the To or Cc header.
    >
    > Also, most of my friends who send jokes and interesting stuff use Bcc.


    It's still a good idea for most people and can probably be modified (if you
    will give it a bit of thought) for your exception.
     
    Adam Russell, Sep 25, 2003
    #13
  14. Eric CHAPUZOT, Sep 25, 2003
    #14
  15. "Steve M (remove wax for reply)" <> wrote in message news:...
    > On Thu, 25 Sep 2003 11:20:25 -0400, "Marc" <> wrote:
    >
    > >Hi Thore,
    > >
    > >When I do as you suggest, I get the following new rule...
    > >
    > >"Where the To line does not contain (my email address) and where the CC line
    > >contains people, delete it from server"
    > >
    > >But won't this rule delete all mail on which I am a CC recipient? That would
    > >seem to include a lot of valid email, as I am often CC'd on mail to others.
    > >
    > >Or am I missing something?

    >
    > No, you're not. I disagree with the advice you've been given and
    > would not use this rule. I read a couple of mailing lists and my name
    > does NOT always appear in the To or Cc header.
    >
    > Also, most of my friends who send jokes and interesting stuff use Bcc.


    Whitelist those senders with earlier rules, by stop processing
    any further rules on them.
     
    FromTheRafters, Sep 26, 2003
    #15
  16. "Thore Schmechtig" <> wrote in
    <news:bkunnu$61jqd$-berlin.de>:

    > NOTE THE FOLLOWING:
    >
    > Mailing lists - at least all lists I know - use a very similar
    > procedure to send their contents to you, inserting your valid
    > address in the Envelope-to-field and the basic email address of
    > the list in the To-field, along with usually adding a list-typical
    > string to the subject. Obviously this will create false positives
    > with the above-mentioned email rule that would delete the list
    > messages along with Swen.


    Adding the criteriom "Where the message size is more than 135 KB" to he
    Swen-killing rule should let such things as list posts through. 135 KB
    is a bit low for Swen, but I'll leave it to others to adjust upward if
    you like.

    --
    »Q«
    "KEEP BIG BROTHER'S HANDS OFF THE INTERNET"
    By Senator John Ashcroft
    <http://usinfo.state.gov/journals/itgic/1097/ijge/gj-7.htm>
     
    =?ISO-8859-1?Q?=BBQ=AB?=, Sep 26, 2003
    #16
  17. Thore Schmechtig

    Randy W Guest

    On Thu, 25 Sep 2003 14:40:16 +0200, "Thore Schmechtig"
    >>Every email that arrives in your inbox and does NOT have your valid
    >>email address in the To- or CC-field is almost guaranteed to be a
    >>Swen-mail (exceptions see below).


    On Thu, 25 Sep 2003 Bill <> wrote:
    >I pointed that out a couple of days ago and someone ( I don't remember
    >who) indicated that it doesn't work, which is nonsense as it has
    >eliminated 100% of Swen from my mailbox. However, I am filtering at
    >the server level which means I don't have to download them to keep
    >them from filling up my message queue. Yes, it does work and it
    >doesn't delete legitimate mail from individuals. Incidently, whe
    >dropping my filter for a few hours to test I have noticed a sizable
    >decrease in Swen mail. Only 75 in an 8 hour period.


    I remembered seeing Bill's post about the To: field not having
    one's real email adddress a few days ago, but of course it was
    *after* i'd spent a few evenings setting up a few dozen filters
    using keywords found in the From: and Subject: fields of the
    offending emails.

    Based on his post i then cancelled all my keyword filters and
    instead setup one single filter to send any message where the
    To: field does not contain my actual email address and that
    one single filter has sent 100% of the Swen worm emails
    directly to my Trash folder ever since, just like it did for him.
    I don't see how this couldn't work, since NONE of the thousand
    or so worm emails contain my actual email address. Not one.

    Thanks Bill :)

    I run Eudora Light and i have it set to automatically dial up
    every hour, retrieve all my mail then delete it from the server
    after downloading it, then it closes the connection. Norton catches
    and quarantines virtually every infected file then i just go in a few
    times a day and delete them all. I think the Pro/paid verion of
    Eudora Pro version has the added ability to delete mail directly
    from the server without having to download it which would be
    better yet, but the Light version doesn't have this capability.
    No matter, this is all working for me and my inbox is now never
    more than 25% full at any given time. In the beginning it was
    being packed to capacity within two hours !

    I have found some of the worm files in my attachment directory
    so apparently some are getting past Norton which makes me think
    Norton has some sort of limit to the number of attachments it can
    handle and the rest are getting past it. I just send them to the
    Recycle Bin whenever i spot one.

    Randy
     
    Randy W, Sep 26, 2003
    #17
  18. "Randy W" <> wrote in message news:...

    > I remembered seeing Bill's post about the To: field not having
    > one's real email adddress a few days ago, but of course it was
    > *after* i'd spent a few evenings setting up a few dozen filters
    > using keywords found in the From: and Subject: fields of the
    > offending emails.
    >
    > Based on his post i then cancelled all my keyword filters and
    > instead setup one single filter to send any message where the
    > To: field does not contain my actual email address and that
    > one single filter has sent 100% of the Swen worm emails
    > directly to my Trash folder ever since, just like it did for him.
    > I don't see how this couldn't work, since NONE of the thousand
    > or so worm emails contain my actual email address. Not one.


    It does work, and is a pretty good filter for regular spam
    as well, but for some people whos friends' send a group
    mailing with blind carbon copies sometimes, those would
    be lost. Some people are on mailing lists which could also
    be lost. Rules can be set up to avoid these occurrences
    too on a case by case basis.
     
    FromTheRafters, Sep 26, 2003
    #18
  19. Thore Schmechtig

    Randy W Guest


    >"Randy W" <> wrote:
    >> I remembered seeing Bill's post about the To: field not having
    >> one's real email adddress a few days ago, but of course it was
    >> *after* i'd spent a few evenings setting up a few dozen filters
    >> using keywords found in the From: and Subject: fields of the
    >> offending emails.
    >>
    >> Based on his post i then cancelled all my keyword filters and
    >> instead setup one single filter to send any message where the
    >> To: field does not contain my actual email address and that
    >> one single filter has sent 100% of the Swen worm emails
    >> directly to my Trash folder ever since, just like it did for him.
    >> I don't see how this couldn't work, since NONE of the thousand
    >> or so worm emails contain my actual email address. Not one.


    TheRaftersRote:
    >It does work, and is a pretty good filter for regular spam
    >as well, but for some people whos friends' send a group
    >mailing with blind carbon copies sometimes, those would
    >be lost. Some people are on mailing lists which could also
    >be lost. Rules can be set up to avoid these occurrences
    >too on a case by case basis.


    So far this hasn't snatched anything other than the Worm-bombs
    since setting it up a few days ago but this is good to know because
    i am on a few club committees and we have conference calls via
    email from time to time. I always roll through the subject lines of
    everything in my Trash Folder before permanently emtying it
    so now i'll keep a closer eye out for legitimate emails that may
    get caught up by the filter. FWIW i'm on several mailing lists and
    typically get upwards of a hundred emails a day (Not counting
    the few hundred Wormbombs per day i've been getting) and
    luckily no legitimate email has been trashed so this method is
    working perfectly in my case. It has also caught some spam,
    but i only get a few a day anyway and most of them are filted
    to my Spam folder. My filters for that folder contain some real
    wacky little international characters and catches almost all of it :)

    Thanks for the heads up :)

    Randy
     
    Randy W, Sep 26, 2003
    #19
  20. Thore Schmechtig

    kd7sk Guest

    I have set Outlook Express mail filters to 'DELETE FROM SERVER' any mail
    which contains any of these words in the 'FROM' line. So far it is working
    great except that I have to add a new one or two just about every day,
    otherwise
    I spend a bunch of time waiting for my antivirus to check the incoming mail
    then
    have to delete half of it any way because of the worms.

    (Go to tools>message rules>mail>NEW>"If the FROM line contains
    people">(insert one of the words from the list below)>click the bottom box
    "Delete from server"......Click OK to save the basic rule.. Next> select
    that same rule and click on the word you saved before such as "admin" and a
    new box will open for you to type in the next word and ADD to the list then
    OK it and click on the last word you added and keep going until you have the
    whole list.)

    MANY of these are repeated over and over again which you can see if you
    check the FROM lines of the incoming JUNK.


    admin
    administrator
    emailprogram
    internet delivery
    mail delivery
    mail service
    message service
    message storage
    MS
    microsoft
    network system
    network email
    security center
    storage service
    storage system
    technical assistance
    technical bulletin
    webroutine

    The above are all set to DELETE FROM SERVER so I never see them.
    Sorry about the LONG post but IT WERKS FER ME......

    GOOD LUCK and HAPPY SURFING.


    "»Q«" <> wrote in message
    news:...
    > "Thore Schmechtig" <> wrote in
    > <news:bkunnu$61jqd$-berlin.de>:
    >
    > > NOTE THE FOLLOWING:
    > >
    > > Mailing lists - at least all lists I know - use a very similar
    > > procedure to send their contents to you, inserting your valid
    > > address in the Envelope-to-field and the basic email address of
    > > the list in the To-field, along with usually adding a list-typical
    > > string to the subject. Obviously this will create false positives
    > > with the above-mentioned email rule that would delete the list
    > > messages along with Swen.

    >
    > Adding the criteriom "Where the message size is more than 135 KB" to he
    > Swen-killing rule should let such things as list posts through. 135 KB
    > is a bit low for Swen, but I'll leave it to others to adjust upward if
    > you like.
    >
    > --
    > »Q«
    > "KEEP BIG BROTHER'S HANDS OFF THE INTERNET"
    > By Senator John Ashcroft
    > <http://usinfo.state.gov/journals/itgic/1097/ijge/gj-7.htm>
     
    kd7sk, Sep 27, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Geers
    Replies:
    1
    Views:
    715
    Mueen Nawaz
    Jul 17, 2004
  2. john

    UV Protector filter vs. Skylight filter?

    john, Jun 26, 2004, in forum: Digital Photography
    Replies:
    8
    Views:
    21,693
  3. Thore Schmechtig
    Replies:
    17
    Views:
    807
    Gregg Dotoli
    Sep 27, 2003
  4. Ken

    to filter of not to filter

    Ken, Dec 23, 2005, in forum: Digital Photography
    Replies:
    2
    Views:
    405
  5. Mauricio Freitas
    Replies:
    5
    Views:
    544
    Bruce Sinclair
    Feb 10, 2004
Loading...

Share This Page