[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Swen Really Sucks
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Swen Really Sucks
- From: Evan Borgstrom <evan.borgstrom@xxxxxxxxxx>
- Date: 24 Sep 2003 10:59:50 -0400
http://tmda.sourceforge.net
Blacklist centric message system.
I haven't seen a single swen message yet. It doesn't solve the bandwidth
problem but at least it solves the problem of the messages appearing in
your inbox.
On Wed, 2003-09-24 at 03:29, Peter Busser wrote:
> Hi!
>
> > Therefore, no IP, e-mail, or domain filter will solve the problem
> > completely without filtering every single possible permutation of From:
> > address that the virus spits out...
>
> I use several procmail rules to filter out domains (microsoft.com, msdn.com,
> etc.) in From: and From, To: (e.g. microsoft.com) and certain words in the
> subject (e.g. Microsoft). Since the virus depends on looking like an authentic
> message, it can't do too much randomisation of the domains and subject lines.
> Of course the filtering is not perfect, but it still reduces the number of
> virus messages hitting the inbox.
>
> Removing messages with an executable attachment will also help of course.
> Except with the messages sent to mailing lists that remove attachments
> alltogether.
>
> > and using the "From" address rather than
> > the "From:" address for the filter doesn't work, either, because the "From"
> > address appears to be a different non-randomized e-mail address, possibly
> > the
> > real e-mail address of the infected victim (? haven't read any forensic
> > analysis on this point yet...)
>
> Does this imply that your e-mail filter does not understand regular
> expressions?
>
> Groetjes,
> Peter Busser
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html