Microsoft is bombing me! help! help!

You are sending out the virus.......I just got one from Charter.net. I
will post part of the headers to show you.......so please get the virus
off your computer.....or stay offline. Aw hell, that won't matter as
there are 32 gazillion copies floating around.

OK......see the first line??? Is that a friend of yours, or is it you.
And you will see further down that the TO and FROM are totally
different. So it forges the FROM.......but the "charter.net" is at the
top.......

Hey Rafters.....is this like Klez? Or could it be combining two parts
to the reply to address......hmmm.

Cheers....Heather

Return-Path: <>
Received: from remt20.cluster1.charter.net ([209.225.8.30])

FROM: "Program Security Center" <>
TO: "Commercial Client" <>

SUBJECT: Newest Network Security Patch
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="obmybgntf"
Date: Mon, 22 Sep 2003 00:03:12 -0400

 

Just got two more from your ISP.....different name in first
half......know a person named "sfogarty"???

These seem to come in pairs......two from Musselwhite, two from
Fogarty.....both Charter.net.

Heather

 

Heather,
I followed your instructions after printing them out, but I don't know where
you and Thor are getting the phrase "Cumulative Patch". That didn't come in
any of my mails, did you have to open one to read that in the message? Last
night, before I turned the computer off, I deleted all the mails in my
inbox, and deleted box, one thousand in all, after making several rules
using phrases in the , not the from header, but the message content part,
and this morning I had about 49 in the deleted box, and 58 in the inbox. So
some of the rules did not work. But the Microsoft ones seem to be stopped.

Sorry, I'm not really up to all this stuff, although I'm really trying.

I don't want to do that, that's why I asked.

Thanks for your help,
San

 

"Heather" <

I don't understand why you are asking that, I have not sent you any mails
other than on this group.

This ISP is all over the country. It could be coming from anywhere AFAIK.

 

AFAIK, this leaves the message on the server. Is there
any way to delete the message from the server without
downloading it?

 

Last

That was just an example. You need to look at all your messages, and pick
out s distinctive word or phrase that sets them apart from legitemate email,
yet is common to most of the ones you want to filter out.

In your news account settings in Outlook Express, there is a box for your
email address. What you put in that box is what is displayed in the headers
of your newsgroup posts. All you need to do is put a fake or "munged"
address (munged means take your real address and put something in it like
"nospam") so something other than your real address is shown. Usenet is
crawling with bots (automated programs) that search out email addresses for
spammers to send to. When the address is harvested from one of your
messages, it will be useless to the spammer if you put in a fake one, or
munge it in such a way that it cannot be readily used without being edited
first.

 

The message rules must be working now, as I'm only receiving a few at a
time, and they have new words in them.

But I need to figure out how to eliminate the worm from my system, which is
just going to continue living here if I don't. I don't know what other
damage it does besides being annoying in email.

Okay, I did that too. If I did it right, it will show up in this message as
.

Thanks,
Sandra

 

Just because you're being deluged with the infected email doesn't mean
your system is infected. That would require that you be stupid enough
to launch the infected file.

 

With MailWasher, I've set up a "not to me" filter. i.e. if the "To" box
"does not contain" my normal e-mail address, then delete. Works fine
since none of the fake MS junk has my addy in the "To" box. I haven't
been able to do this with OE, but Netscape has this option in filtering.

I've noticed many of the "bounce" messeges are no longer containing the
whole (146KB-156KB), attachment sent in the original message. Maybe they're
learning something?

Virg Wall

 

It's easy to do it with OE. You just set up a rule based on the "TO:" field,
put in your email address as the criteria, and then reverse the rule
behavior with the options button to make it reject all mail except those
that specifically have your email address in the "TO:" field. Then set the
action as "delete from server". I have this set up on mine, but it is of
limited use because a substantial part of the spam I usually receive *does*
have my email address in the "TO:" field.

 

Thanks Thor.

--
Dale's simple method of dealing with swen creator.

1) Identify Creator.
2) Throw on ground.
3) Hit with big stick
4) Repeat step 3 until creator no longer moves.
5) Depose of body where it will never be found.

 

This could very well mean that you *are* actually infested
by this worm.

Sorry.

 

She gets the error box when she tries to run regedit, Bill. (

 

You propose murdering someone because you were inconvenienced?
~ Nice....

....many happy "returns" dude.

 

It can evidently harvest e-mail addresses directly from newsgroup
posts on some servers in a list it contains. I think that the "reply-to"
field depends on how the mail server treats the "envelope-from"
field of the incoming SMTP send.

http://www.f-secure.com/v-descs/swen.shtml

So...that means the "circle of friends" ripple effect has
been removed one more level. Sort of like the STDs
being spread not only from partners to partners, but
to everyone who frequents the same restaraunts as well.
Harvesting from the TIF did this too, but I think this is
worse because almost every post has an address, and
both valid and invalid addresses get sent to.

 

Outlook Express can do it too:

Where the To and CC lines contain people.
click on "people" to add your own name in
the text box, click on add ~ then on options
to reverse the logic.

...of course you then lose the sends from your mass mailing friends
with enough of a clue to use Bcc instead of CC ~ but I sort of
whitelisted them by other settings.

Mailwasher is much easier to use than OE though, as far
as setting up filters.

 

Plus KaZaA, NNTP, and mIRC.
Just an FYI for the URL's webmaster..

 

Thanks for the info. I don't use OE very much--should have known to look for
the typical MS "reverse logic". I guess my spamming friends don't know me too
well, as most spam doesn't have my correct addy, even though I left it in this
and other NGs for some time. This method may work better for others, rather
than trying to guess the subject phrase used in the fake MS junk. The stuff
without an address that I have subscribed to is set as "friend" in MailWasher.

Virg Wall

 

The problem with that is if you're subscribed to mailing lists then mail to
that lists will have the address of the list in the 'to' field and not your
own addy.
But even if you have your filters set to delete it, you still have to waste
your time and connection by downloading it into OE.

ceindreadh