[OT] inundated by Swen / Gibe emails

[OT] inundated by Swen / Gibe emails

[Adam Hardy]

Hi All,

is anybody else on the list getting swamped by the result of the latest 
wave of these avalanche-email windows viruses?

I wasn't affected by Sobig or MSSplat or whatever it was, but this time 
I am receiving hundreds of emails a day on this account, since Friday.

It is drowning out the emacs list traffic by a factor of 10 to 1!

Curiously it is only this email address, and not my other ones which are 
being affected. OK, I've had one or two on the other accounts, but 
that's it.

I am wondering why, because I thought I could just delete this email 
address and subscribe on another one, it's just this list that I use the 
address for. But will it help? Any ideas?

If I don't reply again, it's because I missed the mail amongst all the 
Swen crap.

Yours thro the spam,

Adam



-- 
GNU Emacs 21.2.1 on Linux 2.4.20 RH9

Re: [OT] inundated by Swen / Gibe emails

[Rob Thorpe]

> I am wondering why, because I thought I could just delete this email 
> address and subscribe on another one, it's just this list that I use the 
> address for. But will it help? Any ideas?
> 
> If I don't reply again, it's because I missed the mail amongst all the 
> Swen crap.

It might help a bit.  I'm getting swen/gibe emails at the rate of
about 300/200 per day.  I can only assume that this is because lots of
the spammers who've found my address on usenet have caught it.

Does anyone know more?

Re: [OT] inundated by Swen / Gibe emails

[Adam Hardy]

Ah! I just saw that this group is on usenet. Rats! So that why.



On 09/24/2003 10:25 AM Rob Thorpe wrote:
>>I am wondering why, because I thought I could just delete this email 
>>address and subscribe on another one, it's just this list that I use the 
>>address for. But will it help? Any ideas?
>>
>>If I don't reply again, it's because I missed the mail amongst all the 
>>Swen crap.
> 
> 
> It might help a bit.  I'm getting swen/gibe emails at the rate of
> about 300/200 per day.  I can only assume that this is because lots of
> the spammers who've found my address on usenet have caught it.
> 
> Does anyone know more?
> _______________________________________________
> Help-gnu-emacs mailing list
> Help-gnu-emacs@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-gnu-emacs
> 

-- 
GNU Emacs 21.2.1 on Linux 2.4.20 RH9

Re: [OT] inundated by Swen / Gibe emails

[Adam Hardy]

OK, so I see two solutions to this:

(1) start filtering - which I don't like since it will still download 
them and at 125kB a time, that's a waste of bandwidth, and I don't 
really want to get involved with one of those pop3-cleaner-filters.

(2) somehow find a way of disguising my email address on the newsgroup 
without stopping the listserver from mailing me the traffic.

Any suggestions as to how to do 2 would be great.

Also I'd appreciate confirmation from a couple more people that they are 
getting this virus traffic due to the newsgroup.


Thanks
Adam




On 09/24/2003 10:25 AM Rob Thorpe wrote:
>>I am wondering why, because I thought I could just delete this email 
>>address and subscribe on another one, it's just this list that I use the 
>>address for. But will it help? Any ideas?
>>
>>If I don't reply again, it's because I missed the mail amongst all the 
>>Swen crap.
> 
> 
> It might help a bit.  I'm getting swen/gibe emails at the rate of
> about 300/200 per day.  I can only assume that this is because lots of
> the spammers who've found my address on usenet have caught it.
> 
> Does anyone know more?
> _______________________________________________
> Help-gnu-emacs mailing list
> Help-gnu-emacs@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-gnu-emacs
> 

-- 
GNU Emacs 21.2.1 on Linux 2.4.20 RH9

Re: [OT] inundated by Swen / Gibe emails

[ray]

On Wed, 24 Sep 2003, Rob Thorpe wrote:

> It might help a bit.  I'm getting swen/gibe emails at the rate of
> about 300/200 per day.  I can only assume that this is because lots of
> the spammers who've found my address on usenet have caught it.

That's my rate too ... about ... isn't there any end of that in the
near future?  It's becoming nasty!

ray

Re: [OT] inundated by Swen / Gibe emails

[Björn Lindström]

ray@nabuli.de writes:

> That's my rate too ... about ... isn't there any end of that in the
> near future?  It's becoming nasty!

My problems ended after applying the following procmail rules. Normally
I download all mail and split it with Gnus/bogofilter on my home
machine, but 500 140Kb+ messages a day ain't nice on a modem
connection. These two rules has taken out almost everything Swen-related
so far. The first rules just goes for suspicious attachment content
headers, the second does the same thing but smarter (and slower).

----

:0 B
* ^Content-Type:.application/(msword|(x-)?msdownload|vnd.ms-[aptw].*)
{
    LOG="[worm] "

    :0
    /dev/null
}

:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVqQAAMAAAAEAAAA//8AALg
* 4fug4AtAnNIbg
{
    LOG="[worm] "

    :0
    /dev/null
}

----

-- 
Björn Lindström <bkhl@elektrubadur.se>
http://bkhl.elektrubadur.se/

Hearken to the new *Elektrubadur* demo at http://elektrubadur.se/

Re: [OT] inundated by Swen / Gibe emails

[Gernot Hassenpflug]

Adam Hardy <emacs@cyberspaceroad.com> writes:

> (2) somehow find a way of disguising my email address on the newsgroup
> without stopping the listserver from mailing me the traffic.
>
> Any suggestions as to how to do 2 would be great.
>
> Also I'd appreciate confirmation from a couple more people that they
> are getting this virus traffic due to the newsgroup.

Here is confirmation. I subscribe to a number of rec, alt and sci
groups: they all have the problem. No-one in my lab has been hit apart
from me, and I am the only one using newsgroups. I have no Windows
machine, although lots of other users have, so that more or less rules
out address book stealing in MS software. BellSouth is a major culprit
here apaprently, having someone infected on their net (judging from my
spam headers).

(2) If you use gnus, make a fake email address specific to the
    groups. Simplified example:

(setq gnus-posting-styles
      ;; all styles
      '((".*"
	 (address "gh@nospam.com")
	 (signature-file "~/.signature")
	 (name "Gernot Hassenpflug")
	 ("X-Home-Page" (getenv "WWW_HOME"))
	 (organization "RASC"))
	((message-news-p)
	 (signature-file "~/.sigs/sig.gnussig"))
	("^alt.martial-arts.aikido"
	 (organization "Takemusu Aikido Osaka")
	 (signature-file "~/.sigs/sig.rma"))

That should not affect a listserver subscription, since you would have
subscribed with your real email, and the listserver would have
confirmed that. If the listserver mails out digests with your email in
them, or forwards them to a group with the email in them, that is an
issue you should take up with the list manager: in the lists I
subscribe to the addresses are removed and you can only get someone's
address by forwarding an email to the other person through the list
master. The other person can then reply directly by email.

-- 
G Hassenpflug RASC, Kyoto University

Re: [OT] inundated by Swen / Gibe emails

[Gernot Hassenpflug]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

bkhl@elektrubadur.se (Björn Lindström) writes:

> ray@nabuli.de writes:
>
>> That's my rate too ... about ... isn't there any end of that in the
>> near future?  It's becoming nasty!

I use procmail in conjunction with junkmail filter. It automatically
removed all the MS and swen.a virus mails and put them in the spam
tray. Abouth 500+ a day for the last week and I never even knew about
it until I looked at my spam tray after seeing the logfile. I highly
recommend junkfilter if you are on a Unix system and work in
conjunction with procmail.

-- 
G Hassenpflug RASC, Kyoto University

Re: [OT] inundated by Swen / Gibe emails

[Glyn Millington]

Gernot Hassenpflug <gh@nospam.com> writes:

> I use procmail in conjunction with junkmail filter. It automatically
> removed all the MS and swen.a virus mails and put them in the spam
> tray. Abouth 500+ a day for the last week 

That's an enormous quantity of stuff to download!   Since Thursday I've
been resorting to popsneaker which checks the headers and kills off the
unwanted stuff on the server before dowloading.  Seems to work well so
far.

hth


Glyn

Re: [OT] inundated by Swen / Gibe emails

[Gernot Hassenpflug]

Glyn Millington <glyn@millingtons.org> writes:

> Gernot Hassenpflug <gh@nospam.com> writes:
>
>> I use procmail in conjunction with junkmail filter. It automatically
/../

> That's an enormous quantity of stuff to download!   Since Thursday I've
> been resorting to popsneaker which checks the headers and kills off the
> unwanted stuff on the server before dowloading.  Seems to work well so

Glyn, I work at a Unix workstation. Sendmail puts the mail on the
mailserver. Procmail fetches it from there and filters it through
junkmail filter into my local account mail folders (I read it with
mew, a Japanese emacs mail program, but gnus or Wanderlust or mh would
do as well).

If the mailserver can only be accessed via APOP would popsneaker work?
If I use POP3 from my mail program, I have to use a .forward file to
first move all the mail to a different machine which has the less
secure POP3 on it. Then the work would be similar....

Any thoughts here?
-- 
G Hassenpflug RASC, Kyoto University

Re: [OT] inundated by Swen / Gibe emails

[Glyn Millington]

Gernot Hassenpflug <gh@nospam.com> writes:
> Glyn, I work at a Unix workstation. Sendmail puts the mail on the
> mailserver. Procmail fetches it from there and filters it through
> junkmail filter into my local account mail folders (I read it with
> mew, a Japanese emacs mail program, but gnus or Wanderlust or mh would
> do as well).
>
> If the mailserver can only be accessed via APOP would popsneaker work?
> If I use POP3 from my mail program, I have to use a .forward file to
> first move all the mail to a different machine which has the less
> secure POP3 on it. Then the work would be similar....

I think popsneaker should work with apop - below isa snip from the manual

,----
| This is the 0.6 release of popsneaker.  It contains some redesigns in
|   the networking code to make popsneaker more modular.  While prior
|   versions support only the POP3 protocol, it should become possible now
|   to connect to servers using many different methods.  The following
|   mail-retrieval protocols are currently supported: POP3 (incl. APOP).
`----

On the other hand I believe that many of the  current wave of spam
messages are very large - over 100K - so it should be possible simply ti
filter them with either procmail or fetchmail on that basis - I set up
popsneaker here before discovering this ;-)

Good luck

Glyn