GEN-MEDIEVAL-L Archives

Archiver > GEN-MEDIEVAL > 2003-09 > 1064112611


From: Barbarossa <>
Subject: Re: "I'm Being Deluged By Emails"
Date: Sun, 21 Sep 2003 02:50:11 GMT
References: <Iu%ab.996$wS2.34564@eagle.america.net> <20030920210142.88868.qmail@web41704.mail.yahoo.com>


Barbarossa:

Chico , and others, have asked where all this M$ type spam
is coming from. This is the best explanation I have seen so
far, if a bit technical. Forwarded from alt.genealogy:

> Hasn't anyone found the source of these emails??? i mean
> they must be originating somewhere? and with so many of them
> someone should be able to detect the source?....just a
> thought.

Dennis Lee Bieber wrote:

They are coming from a few hundred (thousand?) infected
computers.

Swen uses direct SMTP for sending messages -- thereby
bypassing one's normal mail client when sending. Swen also
makes use of the binary file transfer capabilities of IRC.

The first wave was, as I understand it, sent manually
as just normal UCE type spam (ie, a big mailing list send),
but after some of that wave got installed (and Outlook* still
had a few vulnerabilities that would automatically run the
attachment) those infected machines started running
automatically. It is also, from reports, designed to shut down
firewalls and anti-virus programs once it starts (along with
also disabling REGEDIT so you can't go in and remove its
startup from the registry). Disabling firewalls is what would
let it use its own SMTP -- since you don't see (for example:
zone alarm) popping up a message "program xyz is attempting to
connect to the internet".

Swen has also appeared in some usenet groups. It also
attempts to spread over file-sharing servers.

I've currently got a Python script running with a
90second check interval, scanning headers and scoring them on
message size, number of keywords found in the subject, and
number of keywords found in the from field. It deletes the
message directly from the server if the headers have enough
keywords or the message falls into the size limit with at
least one keyword match (and a blank subject is counted as a
match!).

Even with a 90 second check period, I'm still getting
something like three messages when my email program actually
goes to check for real mail.

--
==============================================================
| Wulfraed Dennis Lee Bieber KD6MOG
| Bestiaria Support Staff
==============================================================
Bestiaria Home Page: http://www.beastie.dm.net/
Home Page: http://www.dm.net/~wulfraed/

--
_____________B_a_r_b_a_r_o_s_s_a____________ ;^{>
Wayne B. Hewitt Encinitas, CA


This thread: