Chuck
Tue Oct 21 10:14:08 CDT 2003
On Mon, 20 Oct 2003 17:50:38 -0700, "Matthew"
<anonymous@discussions.microsoft.com> wrote:
>I have been getting emails from microsoft corporation but
>the come every minute. I also get emails from
>administrator and return notices without even sending any
>emails. I keep deleting them but they keep coming. What
>can I do?
You can delete, or you can filter, but the email will never stop until
the sending computers, that are infected with Swen, are identified and
disinfected. You need to do your part, and report the infections.
I started reporting each Swen email two weeks ago, when I was getting
75 - 100 / day. This was a fscking nuisance, but I have gotten none
for the past few days. You need to report each infection as soon as
you can; each email you're getting is also going to somebody else who
may become infected and make the problem worse.
There is one and only one valid way to identify the ISP for the
infected computer, which requires that you examine the headers. Here
is an example:
####### Start Example #######
Return-Path: <gabriele.sgarzoni@tiscalinet.it>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id
h95L6baQ017487
for <xxxxxxxx@lds.xxxx.net>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
for <xxxxxxxx@xxxx.net>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
postmaster@mail-6.tiscali.it)
Message-ID: <3F79B1480042D178@mail-6.tiscali.it> (added by
postmaster@mail-6.tiscali.it)
FROM: "Security Division" <wsuhigrormafj@ndezew.ms.com>
TO: "Commercial Customer" <customer_dzllfopr@ndezew.ms.com>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0
tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HTML_NO_CHARSET,
MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
Microsoft Customer
this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH
####### End Example #######
The infected computer, in the example, is adqy (62.11.181.97).
10/6/2003 10:08:03 whois -h whois.ripe.net 62.11.181.97
remarks: | PLEASE CONTACT OUR ABUSE DIVISION (abuse@tiscali.it) |
remarks: | FOR ABUSE and-or SPAM COMPLAINTS. |
Send this complaint, with full headers, to abuse@tiscali.it.
There are any number of online whois lookup tools. I use All-NetTools
(
http://www.all-nettools.com/tools1.htm ) and Broadband Reports (
http://www.dslreports.com/whois ).
Also, there are several tools which you can install. I use Sam Spade
(
http://www.samspade.org/ssw/ ) and TESP ABouncer (
http://www.tesp.com/abounce/ ). Both contain whois and other tools,
and both help you format and send the complaint.
Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.