I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

"David Stinson" wrote in message
...
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S


I started to kill the beast using filters, but there always seemed to be a
couple of new ones needed for each new onslaught.

I found that it was much less frustrating to use my Norton Antivirus which
has an email option that automatically sends anything containing a virus in
its definitions file (which was automatically updated to include swen)
directly to the Deleted Items folder without human intervention. Then I
check that folder when convenient before deleting everything with a click.
So far it's worked 100%.

Marty K1FHR

"David Stinson" wrote in message
...
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S


I started to kill the beast using filters, but there always seemed to be a
couple of new ones needed for each new onslaught.

I found that it was much less frustrating to use my Norton Antivirus which
has an email option that automatically sends anything containing a virus in
its definitions file (which was automatically updated to include swen)
directly to the Deleted Items folder without human intervention. Then I
check that folder when convenient before deleting everything with a click.
So far it's worked 100%.

Marty K1FHR

"David Stinson" wrote in message
...
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

I just changed my e-mail address. Dave, what filter are you using?
Earthlink does not allow that kind of filtering, as far as I can tell.

"David Stinson" wrote in message
...
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

I just changed my e-mail address. Dave, what filter are you using?
Earthlink does not allow that kind of filtering, as far as I can tell.

In article ,
David Stinson wrote:
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

*IF* you can filter on message _body_ content, the following couple of
rules catch practically *every* email-carried virus:

rule 1: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'TVq'.
(this will catch *any* base64-encoded MS executable, so it could
be a problem if people _legitimately_ send you .EXE files as
attachments.)
rule 2: the character string "iframe", with the string "cid:" occuring
'somewhat' later. EVERY occurance of this form of exploit attempt
has had the 'iframe', and 'cid:' on the same line, but they don't
_have_ to be. (this one even catches the stupid 'bounce' messages
that result from the virus having forged _your_ address as the
sender, but where the 'executable content' [that woould trigger
rule 1] has been stripped out by the recipient's virus-filter
software.

I also use a 3rd rule, specifically targetted at the fake "MS security update"
emails -- it's similar to rule 1:

rule 3: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'R0l'.
(that's a capital R, the digit -zero-, and a lower-case L)
This one may be too agressive for many people. it'll trigger on
*any* .GIF file attachment.


The *ideal* tool for doing this kind of filtering is a utility known as
'procmail', installed *on* the mail-server. It processes mail _as_it_arrives_,
*before* delivery to your mailbox. Using the above rules, with a 'throw the
message away' action when triggered, your inbox doesn't fill with clutter,
nor require 'frequent' draining.

I have the luxury of running my own mailserver (on a Unix box), _with_ procmail
installed. It's dumped over *three*hundred*megabytes* of these mails within
the last 20 hours. That's 2000+ messages. _Six_ messages, that had had the
'executable content' removed, managed to get through to my inbox.

In article ,
David Stinson wrote:
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

*IF* you can filter on message _body_ content, the following couple of
rules catch practically *every* email-carried virus:

rule 1: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'TVq'.
(this will catch *any* base64-encoded MS executable, so it could
be a problem if people _legitimately_ send you .EXE files as
attachments.)
rule 2: the character string "iframe", with the string "cid:" occuring
'somewhat' later. EVERY occurance of this form of exploit attempt
has had the 'iframe', and 'cid:' on the same line, but they don't
_have_ to be. (this one even catches the stupid 'bounce' messages
that result from the virus having forged _your_ address as the
sender, but where the 'executable content' [that woould trigger
rule 1] has been stripped out by the recipient's virus-filter
software.

I also use a 3rd rule, specifically targetted at the fake "MS security update"
emails -- it's similar to rule 1:

rule 3: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'R0l'.
(that's a capital R, the digit -zero-, and a lower-case L)
This one may be too agressive for many people. it'll trigger on
*any* .GIF file attachment.


The *ideal* tool for doing this kind of filtering is a utility known as
'procmail', installed *on* the mail-server. It processes mail _as_it_arrives_,
*before* delivery to your mailbox. Using the above rules, with a 'throw the
message away' action when triggered, your inbox doesn't fill with clutter,
nor require 'frequent' draining.

I have the luxury of running my own mailserver (on a Unix box), _with_ procmail
installed. It's dumped over *three*hundred*megabytes* of these mails within
the last 20 hours. That's 2000+ messages. _Six_ messages, that had had the
'executable content' removed, managed to get through to my inbox.

wrote:

"David Stinson" wrote in message
...
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

I just changed my e-mail address. Dave, what filter are you using?
Earthlink does not allow that kind of filtering, as far as I can tell.

http://webmail.earthlink.net takes you to Earthlink's Webmail access.
Use your full e-mail address and password to log in, and set the
spamblocker to high. It will add a folder called Suspect Email, where
anything that isn't in your on line address book will go. I just click
on it, and delete anything between 140 and 160 KB. I am still getting
over 200 an hour, but I am not wasting the time to download and delete
them. I just leave a page open to Earthlink's Webmail access while I am
on line, and click on delete about every 5 to 10 minutes.
--


Michael A. Terrell
Central Florida

wrote:

"David Stinson" wrote in message
...
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

I just changed my e-mail address. Dave, what filter are you using?
Earthlink does not allow that kind of filtering, as far as I can tell.

http://webmail.earthlink.net takes you to Earthlink's Webmail access.
Use your full e-mail address and password to log in, and set the
spamblocker to high. It will add a folder called Suspect Email, where
anything that isn't in your on line address book will go. I just click
on it, and delete anything between 140 and 160 KB. I am still getting
over 200 an hour, but I am not wasting the time to download and delete
them. I just leave a page open to Earthlink's Webmail access while I am
on line, and click on delete about every 5 to 10 minutes.
--


Michael A. Terrell
Central Florida

"Martin" wrote in message
t...



I started to kill the beast using filters, but there always seemed to be a
couple of new ones needed for each new onslaught.

I found that it was much less frustrating to use my Norton Antivirus which
has an email option that automatically sends anything containing a virus
in
its definitions file (which was automatically updated to include swen)
directly to the Deleted Items folder without human intervention. Then I
check that folder when convenient before deleting everything with a click.
So far it's worked 100%.

Marty K1FHR



My problem is not the attachments. My ISP kills them but then I get a
message saying that the email has been cleaned so it's still a deluge of
emails.

Dee D. Flint, N8UZE