DO not use reall address here

The MS newsgroups are being harvested by hackers for
emails and then those addresses are being bombarded with
hundreds of Swen Virus attackes daily. I made the mistake
of using my real email address here and now my email bin
is filled daily with hundreds of virus attacks. Because
the virus morphs subject and from, it is almost impossible
to filter out. MS Security people - please do something
to stop addresses on your site from being harvested or
post a warning of the risks of using a real email
address.

helper
Tue Sep 23 21:00:45 CDT 2003

Although, not everyone posts through Web
to these groups. How would you warn all the others?

"Steve" <cantgive@noname.com> wrote in message
news:0ae801c3823d$98f95980$a401280a@phx.gbl...
> The MS newsgroups are being harvested by hackers for
> emails and then those addresses are being bombarded with
> hundreds of Swen Virus attackes daily. I made the mistake
> of using my real email address here and now my email bin
> is filled daily with hundreds of virus attacks. Because
> the virus morphs subject and from, it is almost impossible
> to filter out. MS Security people - please do something
> to stop addresses on your site from being harvested or
> post a warning of the risks of using a real email
> address.

helper
Tue Sep 23 21:00:11 CDT 2003


they can't stop email harvesting.

they can warn users.

"Steve" <cantgive@noname.com> wrote in message
news:0ae801c3823d$98f95980$a401280a@phx.gbl...
> The MS newsgroups are being harvested by hackers for
> emails and then those addresses are being bombarded with
> hundreds of Swen Virus attackes daily. I made the mistake
> of using my real email address here and now my email bin
> is filled daily with hundreds of virus attacks. Because
> the virus morphs subject and from, it is almost impossible
> to filter out. MS Security people - please do something
> to stop addresses on your site from being harvested or
> post a warning of the risks of using a real email
> address.

Jason
Tue Sep 23 21:08:59 CDT 2003

* Steve <cantgive@noname.com>:
> The MS newsgroups are being harvested by hackers for
> emails and then those addresses are being bombarded with
> hundreds of Swen Virus attackes daily. I made the mistake
> of using my real email address here and now my email bin
> is filled daily with hundreds of virus attacks. Because
> the virus morphs subject and from, it is almost impossible
> to filter out. MS Security people - please do something
> to stop addresses on your site from being harvested or
> post a warning of the risks of using a real email
> address.

Steve you should never use a real email address on usenet be it a ms
server or your local ISPs one. If you want to have your addy there so
folks can respond directly to you either set up a dummy hotmail etc one
so that if it gets spammed to death its no loss. Or mung it up so that
the harvestors can't use it but a human can see what to remove.

Just basic common sense is all.

Jason

N
Tue Sep 23 23:40:14 CDT 2003

In article <0ae801c3823d$98f95980$a401280a@phx.gbl>, cantgive@noname.com
says...
> The MS newsgroups are being harvested by hackers for
> emails and then those addresses are being bombarded with
> hundreds of Swen Virus attackes daily.

Wrong. The addresses used by Swen were not harvested directly from the news
groups by anybody.

> I made the mistake
> of using my real email address here and now my email bin
> is filled daily with hundreds of virus attacks.

Right. And my penchant for using disposable addresses for Usenet posts has
saved my ISP addresses from exposure.

> Because
> the virus morphs subject and from, it is almost impossible
> to filter out.

Wrong. There are some non-morphing components of the message body which
allow for body-filtering systems to nail the messages.

> MS Security people - please do something
> to stop addresses on your site from being harvested or
> post a warning of the risks of using a real email
> address.

While MS could take steps to prevent harvesting of addresses directly from
the news groups (news.grc.com does it, so does secnews.netscape.net), nobody
can prevent the Swen virus from harvesting posted addresses which are
locally available via the NNTP message store on the HDD of the infected
system. Your message is stored locally on most every computer whose user
downloaded it for a read, along with your address.

--
Norman
~I'll be there, by your side
~in the land of Twilight.
~In your dream I will go
~'till we find the Sunlight.

Bill
Wed Sep 24 00:18:40 CDT 2003

"N. Miller" <koko@soko.invalid> wrote in message
news:MPG.19dac0061cde824b989744@msnews.microsoft.com...
>
> Wrong. The addresses used by Swen were not harvested directly from the
news
> groups by anybody.
>
F-Secure disagrees:

In:
http://www.f-secure.com/v-descs/swen.shtml

they state:
--------------
The worm also can search for e-mail addresses in various newsgroups. It
connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all
newsgroups on that server and searches recent messages in these newsgroups
for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets
e-mail addressed after them and writes them to the GERMS0.DBV file. This way
the worm can harvers a lot of e-mail addresses to send itself to.

The worm can post its e-mails to newsgroups, the names of which it finds
during searching process. The worm sends the same kind of messages as it
sends via e-mail.

----------------------------------------------------------------------------
--------------

Moe
Wed Sep 24 00:28:42 CDT 2003

No wonder i am getting bomb barded with this damn virus hoax email
"Steve" <cantgive@noname.com> wrote in message
news:0ae801c3823d$98f95980$a401280a@phx.gbl...
> The MS newsgroups are being harvested by hackers for
> emails and then those addresses are being bombarded with
> hundreds of Swen Virus attackes daily. I made the mistake
> of using my real email address here and now my email bin
> is filled daily with hundreds of virus attacks. Because
> the virus morphs subject and from, it is almost impossible
> to filter out. MS Security people - please do something
> to stop addresses on your site from being harvested or
> post a warning of the risks of using a real email
> address.

YoKenny
Wed Sep 24 01:01:21 CDT 2003

helper wrote:
> Although, not everyone posts through Web
> to these groups. How would you warn all the others?

They don't read the *** READ THIS BEFORE POSTING entry so maybe forcing them
to read at least 20 pages with Expand all on. Expand all should be
enabled by default IMHO.

> "Steve" <cantgive@noname.com> wrote in message
> news:0ae801c3823d$98f95980$a401280a@phx.gbl...
>> The MS newsgroups are being harvested by hackers for
>> emails and then those addresses are being bombarded with
>> hundreds of Swen Virus attackes daily. I made the mistake
>> of using my real email address here and now my email bin
>> is filled daily with hundreds of virus attacks. Because
>> the virus morphs subject and from, it is almost impossible
>> to filter out. MS Security people - please do something
>> to stop addresses on your site from being harvested or
>> post a warning of the risks of using a real email
>> address.

N
Wed Sep 24 17:06:01 CDT 2003

In article <#EWkTtlgDHA.2188@TK2MSFTNGP10.phx.gbl>,
Bill_Sanderson@msn.com.plugh.org says...
> F-Secure disagrees:

Yes, I just found that out. I had not seen the F-Secure site write up, and
the write ups I did see did not mention that aspect of the worm.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Bill
Wed Sep 24 21:32:57 CDT 2003

I've only seen this info in one other analysis--and that one was in Spanish.

However, it agrees fully with the experience of many in this group as
evidenced in both the posts from the virus, and the experience of users that
they got swen mail only to accounts used for posting to newsgroups.

"N. Miller" <koko@soko.invalid> wrote in message
news:MPG.19dbb527cb69190c98974a@msnews.microsoft.com...
> In article <#EWkTtlgDHA.2188@TK2MSFTNGP10.phx.gbl>,
> Bill_Sanderson@msn.com.plugh.org says...
> > F-Secure disagrees:
>
> Yes, I just found that out. I had not seen the F-Secure site write up, and
> the write ups I did see did not mention that aspect of the worm.
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint