Re: Current "Swen" worm attack - a tip

[Preben Randhol <randhol+abuse@pvv.org>]

On 2003-09-23, Wes Groleau <groleau@freeshell.org> wrote:
> Stephane Richard wrote:
>> in my case (100 of them per hour)....all ranging from "undeliverable
>> message", to "Security updates", to whatever else there could be...."Report
>> from Admin", "Letter", you name it...all different Fromline to Subject
>> linesit put my regular email over quota quite fast ... which is why I posted
>
> I did detect a simple pattern: in the subject header,
> the word SUBJECT is like that--all caps.

No, but the exe files incuded are mainly the same. I think there are 3
different exe files so just take one line from the base64 encoding and
delete any mail containing it. Of course there is a slight slight risk
that another e-mail could have an attachment that could give the same
line, but it is not very likely.

> Once I noticed that it was a simple matter to filter
> them out.

I have found that the baysian filtering is very good when you have
taught it what is spam and what is not. It takes a bit effort in the
beginning, but now I get about 40-50 spams a day and I have some 5-7
mailinglists and it filters all for me into correct folders. Sometimes a
spam ends in the wrong place, but then it is simply (for me) to press a
key and it is relearnt as spam and moved into that folder.

I have heard talk that the naive baysian statisical methods used could
be improved and other statistical methods might do better, however there
has not been an implementation yet. So if anybody here knows statistics
it is a nice chance to make a killer spam filter :-)

Preben