Re: Swen Really Sucks

[Evan Borgstrom <evan.borgstrom () ca mci com>]

http://tmda.sourceforge.net

Blacklist centric message system.

I haven't seen a single swen message yet. It doesn't solve the bandwidth
problem but at least it solves the problem of the messages appearing in
your inbox.

On Wed, 2003-09-24 at 03:29, Peter Busser wrote:
> Hi!
>
> > Therefore, no IP, e-mail, or domain filter will solve the problem
> > completely without filtering every single possible permutation of From:
> > address that the virus spits out...
>
> I use several procmail rules to filter out domains (microsoft.com, msdn.com,
> etc.) in From: and From, To: (e.g. microsoft.com) and certain words in the
> subject (e.g. Microsoft). Since the virus depends on looking like an authentic
> message, it can't do too much randomisation of the domains and subject lines.
> Of course the filtering is not perfect, but it still reduces the number of
> virus messages hitting the inbox.
>
> Removing messages with an executable attachment will also help of course.
> Except with the messages sent to mailing lists that remove attachments
> alltogether.
>
> > and using the "From" address rather than
> > the "From:" address for the filter doesn't work, either, because the "From"
> > address appears to be a different non-randomized e-mail address, possibly the
> > real e-mail address of the infected victim (? haven't read any forensic
> > analysis on this point yet...)
>
> Does this imply that your e-mail filter does not understand regular
> expressions?
>
> Groetjes,
> Peter Busser

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html