Only sure way to stop SWEN dead cold is to change your E-mail address,
then be sure it's munged to the newsgroups.

A bit of trouble sure, but what a relief.

On Tue, 21 Oct 2003 18:06:14 GMT, Stephen G. Giannoni
<EmailAddressWithheld@earthlink.net> wrote:

That's not stopping it, it's running away from it. Maybe the simplest
solution for YOU, but does nothing to stop the shit.

The only way to stop Swen is to report the infected computers.

I started reporting each Swen email two weeks ago, when I was getting
75 - 100 / day. This was a fscking nuisance, but I have gotten none
for the past few days. You need to report each infection as soon as
you can; each email you're getting is also going to somebody else who
may become infected and make the problem worse.

There is one and only one valid way to identify the ISP for the
infected computer, which requires that you examine the headers. Here
is an example:

####### Start Example #######

Return-Path: <gabriele.sgarzoni@tiscalinet.it>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id
h95L6baQ017487
for <xxxxxxxx@lds.xxxx.net>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
for <xxxxxxxx@xxxx.net>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
postmaster@mail-6.tiscali.it)
Message-ID: <3F79B1480042D178@mail-6.tiscali.it> (added by
postmaster@mail-6.tiscali.it)
FROM: "Security Division" <wsuhigrormafj@ndezew.ms.com>
TO: "Commercial Customer" <customer_dzllfopr@ndezew.ms.com>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0

tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HT ML_NO_CHARSET,
MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)

Microsoft Customer

this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH

####### End Example #######

The infected computer, in the example, is adqy (62.11.181.97).

10/6/2003 10:08:03 whois -h whois.ripe.net 62.11.181.97


remarks: | PLEASE CONTACT OUR ABUSE DIVISION (abuse@tiscali.it) |
remarks: | FOR ABUSE and-or SPAM COMPLAINTS. |


Send this complaint, with full headers, to abuse@tiscali.it.

There are any number of online whois lookup tools. I use All-NetTools
( http://www.all-nettools.com/tools1.htm ) and Broadband Reports (
http://www.dslreports.com/whois ).

Also, there are several tools which you can install. I use Sam Spade
( http://www.samspade.org/ssw/ ) and TESP ABouncer (
http://www.tesp.com/abounce/ ). Both contain whois and other tools,
and both help you format and send the complaint.



Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

Man, you've got to be kidding, right?!...

You'll never get enough people to take that much trouble.

I believe SWEN is here to stay, until most ISPs institute a program of
scanning everything and deleting (undelivered) positives for SWEN.

Chuck wrote:


That's pretty ambitious, as during its peak I was receiving a copy of
Swen approximately every 10 seconds. I think I stopped counting once I
reached around 25,000 copies of it.

If I were to reply to each one, I'd be a full-time 24/7 job for me.


-WD

Stephen G. Giannoni <EmailAddressWithheld@earthlink.net> wrote in
news:901bpvo4h8cp7hp0i67giqn666l4iu33ms@4ax.com:


--
Terry Austin
taustin@hyperbooks.com
http://www.hyperbooks.com/
Roleplaying Stuff

quoting:

What I did on the fist day of mailboxes filling up; I just adjusted my spam
filters at the server level to drop it. Haven't had a SWEN mail find
it way past since.

On Tue, 21 Oct 2003 19:11:40 GMT, Stephen G. Giannoni
<EmailAddressWithheld@earthlink.net> wrote:

It's a pain in the @ss, admittedly.

But it's NOT here to stay. People are becoming aware of it, and
cleaning their computers. Some folks read about it, and clean
themselves before they get a notice from their ISP. Others are
getting notices from their ISP, after somebody like me sends the ISP a
report - THEN cleaning themselves.

Some ISPs are filtering it too. Other ISPs are warning their
customers - then taking them offline til they clean themselves.

My incoming Swen has stopped anyway. Reporting it worked for me.

If everybody would report it, it would go away quickly. If a few of
us report it, it will go away slowly, and eventually it will get to
the point where the rest of us start to see a reduction. Then they'll
be able to report it too.

You don't have to report all of what you get. Just take some spare
time and report some - that lessens the load on everybody. I waited
about a week after I first started seeing it, til I had some spare
time. Then I took the most recent emails, and reported them. After a
couple days of doing that, I started to see less. Then I was able to
take the older ones and report them.

Use a tool like TESP, you can analyse, create report, and dispatch in
15 seconds. Faster if you have good eyesight and reflexes (mine are
starting to go - too much late night parties . A fast computer
helps too.

Even someone like JM will see a reduction eventually.


Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

I started using a 3rd party email service (www.me2u2me.com) which has
free email spam and virus protection I managed to get my incoming
email SWEN reduced from 200 a day to 10 a day. But now it suddenly
creeped back to 40 a day so therefore I don't believe fighting each
and every sender is an total solution.

I am using a ISP called 3web and all the users of 3web are getting
this email. I reported the problem to them but they replied back
saying they are doing everything they can to resolve the problem.

On 21 Oct 2003 13:48:19 -0500, Chuck <cacrollthespam@yahoo.com> wrote:

The ONLY way this is going to stop is when most ISPs start scanning
all E-mail for SWEN and deleting anything that tests positive.

Meanwhile, some logical change to your E-mail address will stop it
cold.

On Tue, 21 Oct 2003 15:47:08 -0500, Chuck wrote:

Reporting has significantly reduced my Swens even though
I post to usenet with a valid reply-to addy.

--
Windows: What worm do you want to host today?

"Stephen G. Giannoni" <EmailAddressWithheld@earthlink.net> wrote in message
news:rambpvkul5jk8fv44ua1bqfq8i3e2d4g8b@4ax.com...
Granted you wont be receiving them for a while, but probably only for a
short while. You'll be giving out your new address, and most likely to the
same infected person that affected you. If they haven't learned their
lesson....., if they're still infected....
BTW, if casagiannoni3-AT-earthlink.net is an address back to you, you might
want to know it appears in your X-Trace headers. Apparently this is new for
Earthlink.
--

~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
To Email-
Replace: mailinator.com
with: email.com
~~~~~~~~~~~~~~~~~~

I noticed this yesterday ; Tks. EL ! ...

Apparently SWEN doesm't harvest from this part of the headers since I
haven't gotten any yet.

On Wed, 22 Oct 2003 01:49:24 GMT, Jason Wade
<savon1414.ostrich@earthlink.invalid> wrote:

?? savon1414.ostrich@earthlink.invalid not a valid reply-to addy.

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

On Tue, 21 Oct 2003 21:03:57 -0400, Dave Warren wrote:

the newly infected computers, so even as previously reported computers
are cleaned, the new infections will address you.

If you munge your address, the newly infected computers will find
other addresses from Usenet, and you'll be ignored.

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

"Stephen G. Giannoni" <EmailAddressWithheld@earthlink.net> wrote in message
news:901bpvo4h8cp7hp0i67giqn666l4iu33ms@4ax.com...
I was getting almost one a minute about a month ago. I started writing to
the ISPs, munged my address and I am down to 70-80 per day. Many ISPs will
contacted the suspected user - Earthlink suspends the account until the
computer is cleaned of the virus. However, Swen is here to stay because 1)
of irresponsible ISPs (which I would like to be identified in this
newgroup), 2) idiots who do not use virus protection software and have an
unnatural compulsion to open attachments from people they do not know.

"Grinder" <thomgrs@earthlink.invalid> writes:
These might be good candidstes for ISP's who seem to be doing nothing.
host virus received
dion.ne.jp 20 no sign of action, same number every day
dublin.eircom.net 21 no sign of action, same number every day
so-net.ne.jp 22 no sign of action, same number every day
tiscali.it 27 bounced complaints, now seems to ignore them
btinternet.com 28 stopped swen after 10 days, then it started again
singnet.com.sg 30 moved to web-based complaints, then removed webpage
telus.net 30 long history of complaints about them
wanadoo.fr 30 long history of complaints about them
hetnet.nl 31 no sign of action, same number every day
brutele.be 54 no sign of action, same number every day
tin.it 61 no action by tin.it about complaints for years
total received 995 since Wed Oct 15 19:19:05 UTC 2003
when automated logging and complaints to host abuse address installed.

But, on a good day I get a small number of responses
"found that, fixed it, thanks"
And out of the 233 hosts that have sent SWEN since last Wednesday,
168 of them sent less than 3. Perhaps that means that most of
those hosts tracked down their infected customer and put a stop
to it. Otherwise I'd guess they would have sent a dozen or more
to me like many of the rest of the hosts did.

The voice of "Don Taylor" drifted in on the cyber-winds,
from the sea of virtual chaos...


It's sad fact that you lead a horse to water but you can't make him
drink...

Current Telus actions to combat viruses:
- Free antivirus software
- Weekly virus alerts & updates via their newsletter
- A stricter TOS, with auto suspension (for 2 years now)

And despite all this there is still enough morons using Telus to keep
it in the bad graces with some of the more zealous anti-spam crowd.

To this end I've since turn off "auto purge" on my bit bin account, and
have reactivated a few alias of mine that I know Swen has, in hopes of
getting these local violators Tossed. After all, once I set-up my
servers I'd like to meet a favorable crowd, rather then get black-holed
just because I have a Telus IP...

--
The Tech Zero, Maxwell C.G. Pollare