Re: SWEN virus.
From: Don Taylor (dont_at_agora.rdrop.com)
Date: 10 Nov 2003 16:34:26 -0600
"Shashank Khanvilkar" <firstname.lastname@example.org> writes:
>> Do you have administrative access to the server? If not, contact your ISP,
>I have administrative access to one of my servers... but the other is
>controlled by someone esle.. and unfortunataly i am receiving such mails on
>both mail accounts.
>I already have spam-assasin, which is not doing a very good job..
>But that is not of concern, as i may have misconfigured it.
>My real concern is how can one remedy this problem at the root.. Even if i
>install anti-virus software, my server is still receiving those bloody
>emails, wasting a lot of BW. Isn't there any current mechanism built into
>SMTP, which will automatically stop relaying messages from the culprit,
>right at the first hop, and if not what can be done about it.
>All Comments appreciated.
Procmail can be VERY effective at deleting Swen when it reaches your
servers. A single line is sufficient to dump all the Swen, well, at
least all the Swen that hasn't been castrated by removing the binary
of the virus itself. And it is FAR more effective at this than
Spam-assassin, which can build up vast databases trying to cope with
large quantities of this binary mail.
As for stopping it before it reaches your server, log the domains
that are delivering the bulk of the Swen to your server. I would
suggest that dropping about a dozen or two ip address ranges, that
you are never going to receive a legitimate email from in your life,
into a block list would eliminate 3/4 of all the Swen virus.
Here are my top candidate domains for adding to block lists.
A total of 10832 Swen received from 1032 domains in the last 4 weeks.
Ocn.ne.jp occasionally says they are doing something but their Swen
count keeps climing as fast as ever. Telus.net, the same. All appear
to be working very hard to really do nothing to stop spewing Swen.
And, btinternet's count is actually hundreds higher, they spewed 99
from blueyonder plus other domains.
But, 80% of the domains that have spewed Swen at me quickly put a stop
to this after getting a complaint about this and rarely did one of them
ever send another one.
So, see if you have legitimate customers from any of your top two dozen
spew hosts, and if it won't kill you then just kill them with a block
list. It will make life easier. If you want to bounce their binary
back at their abuse address for the domain, maybe even better. A few
days of blowing ten million Swen back at each of these might make them
put the rest of the world in their block lists and we could all get
on with the net. But they won't do anything about it.
-- More than 20 years ago when I first got involved with the net everyone on the net was either a white collar professional, who would never think of doing anything to risk their reputation, or was a student and knew what we would do to them if they did. I apologize for most of what the net has become. I'm sorry. I'm very very sorry. It was never meant to turn out this way.