Current "Swen" worm attack

Current "Swen" worm attack

[Alexander Kopilovitch]

sk wrote (I got that by gateway digest, but strangely enough, couldn't
find it
in comp.land.ada via Google and another news-server, so I reply in
separate
message)  :

>The last 4 days have given me 13 attempted "swen" attacks ...

You are very lucky - just 13!  I got several hundred of them in last 3
days,
and they still continue to arrive. I never before experienced an
attack of
comparable volume, and I still can't guess why I became such a
prominent
target now (all my friends, both here and in USA did not see anything
unusual
n their traffic these days).

>Most seem to have, somewhere in the headers, some relation
>to the cla mailing list ("ada-bouncer" in the "Received: "
>fields or "List-Id: comp.lang.ada" in the header).

I did not look (quite naturally -;) into all those viruses I received
these
days, but several ones that I explored had relevance neither to c.l.a.
nor
to the people visible in c.l.a. Generally, the population of  senders
of
those virures seems (by their real addresses) quite respectable - they
have
well-known mail providers (no hotmail, yahoo or other free public mail
servers),
they often have names looking as normal person's name... One virus
even
came from the domain cira.premier-ministre.gouv.fr -;) 

Among those (several hundred) viruses only one seems somehow
interesting (all
others that I explored look like quite common messages, alhthoug with
forged
"From:" fields). Here is its headers:

---------------------------------------------------------------------------
From hqlgu!microsoft.com!rmailroutine Sun Sep 21 05:26:10 2003
Received: by vib.usr.pu.ru (UUPC/@ v7.00, 07Jan97) with UUCP
          id AA01553; Sun, 21 Sep 2003 05:26:10 +0400 (MSD)
Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214])
	by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id TAA09858
	for <aek@vib.usr.pu.ru>; Sat, 20 Sep 2003 19:56:38 GMT
Received: from asteroids.cybercomm.nl (arkanoid.scarlet-internet.nl
[213.204.195.164])
	by becha.pu.ru (8.12.8p1/8.12.8) with SMTP id h8KKITbI047393
	for <aek@vib.usr.pu.ru>; Sun, 21 Sep 2003 00:18:29 +0400 (MSD)
	(envelope-from rmailroutine@microsoft.com)
Date: Sun, 21 Sep 2003 00:18:29 +0400 (MSD)
Message-Id: <200309202018.h8KKITbI047393@becha.pu.ru>
Received: (qmail-ldap/ctrl 12094 invoked from network); 20 Sep 2003
19:56:22 -0000
Received: from unknown (HELO ?192.168.0.2?) ([213.196.18.100])
(envelope-sender

<rmailroutine@microsoft.com>)
          by cybercomm.vsp.scarlet-internet.nl (qmail-ldap-1.03) with
SMTP
          for <tojo@hotmail.com>; 20 Sep 2003 19:56:22 -0000
Received: from FQCZQLUG by [192.168.0.2]
     with SMTP (QuickMail Pro Server for Mac 2.1); 20-Sep-2003
21:39:21 +0200
FROM: "" <rmailroutine@microsoft.com>
TO: "Email Receiver" <user@smtpserver.com>
SUBJECT: Undeliverable Mail: User unknown
Mime-Version: 1.0
Content-Type: multipart/alternative;
	boundary="zdowicnvoammd"
Lines: 1891
Status: R
---------------------------------------------------------------------------

As you can see from the headers, the mail was initially sent to the
address
tojo@hotmail.com (I don't know what is it really), but then happened
something
strange - "qmail-ldap/ctrl", and the message was forwarded to me.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Current "Swen" worm attack

[Stephane Richard]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 4322 bytes --]

in my case (100 of them per hour)....all ranging from "undeliverable
message", to "Security updates", to whatever else there could be...."Report
from Admin", "Letter", you name it...all different Fromline to Subject
linesit put my regular email over quota quite fast ... which is why I posted
my change of email for my http://www.adaworld.com website.

To me a mind (hacker's mind that is) that seems to be limited to the fact
that they "think" they gain power by attempting to destroy other's systems
and server is nothing more than a "VERY primitive mind indeed".  Dont know
what they are trying to prove, and to whom, but they only prove their
stupidity and ignorance to me, nothing else.

-- 
St�phane Richard
Http://www.adaworld.com webmaster


"Alexander Kopilovitch" <aek@vib.usr.pu.ru> wrote in message
news:e2e5731a.0309211905.2a77a257@posting.google.com...
> sk wrote (I got that by gateway digest, but strangely enough, couldn't
> find it
> in comp.land.ada via Google and another news-server, so I reply in
> separate
> message)  :
>
> >The last 4 days have given me 13 attempted "swen" attacks ...
>
> You are very lucky - just 13!  I got several hundred of them in last 3
> days,
> and they still continue to arrive. I never before experienced an
> attack of
> comparable volume, and I still can't guess why I became such a
> prominent
> target now (all my friends, both here and in USA did not see anything
> unusual
> n their traffic these days).
>
> >Most seem to have, somewhere in the headers, some relation
> >to the cla mailing list ("ada-bouncer" in the "Received: "
> >fields or "List-Id: comp.lang.ada" in the header).
>
> I did not look (quite naturally -;) into all those viruses I received
> these
> days, but several ones that I explored had relevance neither to c.l.a.
> nor
> to the people visible in c.l.a. Generally, the population of  senders
> of
> those virures seems (by their real addresses) quite respectable - they
> have
> well-known mail providers (no hotmail, yahoo or other free public mail
> servers),
> they often have names looking as normal person's name... One virus
> even
> came from the domain cira.premier-ministre.gouv.fr -;)
>
> Among those (several hundred) viruses only one seems somehow
> interesting (all
> others that I explored look like quite common messages, alhthoug with
> forged
> "From:" fields). Here is its headers:
>
> --------------------------------------------------------------------------
-
> From hqlgu!microsoft.com!rmailroutine Sun Sep 21 05:26:10 2003
> Received: by vib.usr.pu.ru (UUPC/@ v7.00, 07Jan97) with UUCP
>           id AA01553; Sun, 21 Sep 2003 05:26:10 +0400 (MSD)
> Received: from becha.pu.ru (tx0.becha.pu.ru [194.58.104.214])
> by wg.pu.ru (8.9.1a/8.9.1) with ESMTP id TAA09858
> for <aek@vib.usr.pu.ru>; Sat, 20 Sep 2003 19:56:38 GMT
> Received: from asteroids.cybercomm.nl (arkanoid.scarlet-internet.nl
> [213.204.195.164])
> by becha.pu.ru (8.12.8p1/8.12.8) with SMTP id h8KKITbI047393
> for <aek@vib.usr.pu.ru>; Sun, 21 Sep 2003 00:18:29 +0400 (MSD)
> (envelope-from rmailroutine@microsoft.com)
> Date: Sun, 21 Sep 2003 00:18:29 +0400 (MSD)
> Message-Id: <200309202018.h8KKITbI047393@becha.pu.ru>
> Received: (qmail-ldap/ctrl 12094 invoked from network); 20 Sep 2003
> 19:56:22 -0000
> Received: from unknown (HELO ?192.168.0.2?) ([213.196.18.100])
> (envelope-sender
>
> <rmailroutine@microsoft.com>)
>           by cybercomm.vsp.scarlet-internet.nl (qmail-ldap-1.03) with
> SMTP
>           for <tojo@hotmail.com>; 20 Sep 2003 19:56:22 -0000
> Received: from FQCZQLUG by [192.168.0.2]
>      with SMTP (QuickMail Pro Server for Mac 2.1); 20-Sep-2003
> 21:39:21 +0200
> FROM: "" <rmailroutine@microsoft.com>
> TO: "Email Receiver" <user@smtpserver.com>
> SUBJECT: Undeliverable Mail: User unknown
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="zdowicnvoammd"
> Lines: 1891
> Status: R
> --------------------------------------------------------------------------
-
>
> As you can see from the headers, the mail was initially sent to the
> address
> tojo@hotmail.com (I don't know what is it really), but then happened
> something
> strange - "qmail-ldap/ctrl", and the message was forwarded to me.
>
>
>
> Alexander Kopilovitch                      aek@vib.usr.pu.ru
> Saint-Petersburg
> Russia

Re: Current "Swen" worm attack

[chris]

Stephane Richard wrote:
> in my case (100 of them per hour)....

:(

It's a common story, though I've been lucky and have only recieved 7 
copies.  Reports say spam will be helped by the verisign fiasco, though 
I'm not sure why.  I wonder if it will help worms like this spread? 
Wonder how many copies verisign have recieved? ;)

 > all ranging from "undeliverable
> message", to "Security updates", to whatever else there could be...."Report
> from Admin", "Letter", you name it...all different Fromline to Subject
> linesit put my regular email over quota quite fast ... which is why I posted
> my change of email for my http://www.adaworld.com website.

Did you change it and not post it anywhere directly?  Spammers will 
harvest it and it'll get spammed.  You might end up with the same 
problem again if people start using that address.  I find using a big 
email address that's easy to remember attracts no spam, so long as you 
keep it safe (in an image for example)...  something like

bobisamartianandlivesonmars@hotmail.com

It isn't so easy to guess and is probably not worth their bother. 
Doesn't help with worms though, once the address goes into someones' 
Outlook address book you're getting it and nothing can stop it. :(

> To me a mind (hacker's mind that is) that seems to be limited to the fact
> that they "think" they gain power by attempting to destroy other's systems
> and server is nothing more than a "VERY primitive mind indeed".  Dont know
> what they are trying to prove, and to whom, but they only prove their
> stupidity and ignorance to me, nothing else.

It is human nature, unfortunately.  It's like people who pursue money 
for power whatever the cost.  Just be content not to be like them.

Re: Current "Swen" worm attack

[Preben Randhol]

On 2003-09-22, Stephane Richard <stephane.richard@verizon.net> wrote:
> To me a mind (hacker's mind that is) that seems to be limited to the fact
> that they "think" they gain power by attempting to destroy other's systems
> and server is nothing more than a "VERY primitive mind indeed".  Dont know
> what they are trying to prove, and to whom, but they only prove their
> stupidity and ignorance to me, nothing else.

Note that the worm grabs e.mail address from USENET groups such as thi
groups. I got 3 copies of each virus as it had managed to find three
addresses from the news groups. However I managed to put a stop to it by
grepping (at the ISP) for a patterns in the base64 encoding of the exe files
and sending the mails containing them into /dev/null.

First day I got about 200-300 Mb of this virus.

Preben

Re: Current "Swen" worm attack

[Randy Brukardt]

Preben Randhol wrote:
> Note that the worm grabs e.mail address from USENET groups such as thi
> groups. I got 3 copies of each virus as it had managed to find three
> addresses from the news groups. However I managed to put a stop to it by
> grepping (at the ISP) for a patterns in the base64 encoding of the exe
files
> and sending the mails containing them into /dev/null.
>
> First day I got about 200-300 Mb of this virus.

Glad to hear that others are getting it worse. I've "only" gotten about 100
MB of it so far (about 1200 copies). The problem actually has been helped by
the fact that my antivirus (even though completely up to date) doesn't catch
all of them. That has let me use my spam filter to automatically delete them
rather than fill up the mail server's disk with quarentines.

But a couple more attacks and we're all going back to paper and pencil...

                     Randy.

Re: Current "Swen" worm attack

[Alexander Kopilovitch]

Preben Randhol wrote:

> Note that the worm grabs e.mail address from USENET groups such as thi
> groups.

Yes, today I received one unusual result of this virus's action - virus at last
reached central Russia (specifically, Nizhnij Novgorod) and here, on non-friendly
territory, it somehow loses control -:) . So, inside that message I receieved
full list of addresses, to which the virus attempted to send messages that time.
First half of this list was very familiar to me - all addresses there were
well-known correspondents to comp.lang.ada (including you and me). The second
half of the list was of quite another nature... I don't know anyone of those
addresses, except the name in the last address - it was full name of famous in
the past German football player (and now senior football official) -:) .

> I got 3 copies of each virus as it had managed to find three
> addresses from the news groups.

I'm getting only 2 copies of each virus.

> However I managed to put a stop to it by
> grepping (at the ISP) for a patterns in the base64 encoding of the exe files
> and sending the mails containing them into /dev/null.

Well, you are lucky in that you are permitted to do things at your ISP -;)
Interesting, how much time will pass until the persons responsible for general
Internet security will indentify and shot the websites that spread infection?
 
> First day I got about 200-300 Mb of this virus.

I think I got about 80-90 Mb for now (that is, for 4 days).


 
Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Current "Swen" worm attack - a tip

[Wes Groleau]

Stephane Richard wrote:
> in my case (100 of them per hour)....all ranging from "undeliverable
> message", to "Security updates", to whatever else there could be...."Report
> from Admin", "Letter", you name it...all different Fromline to Subject
> linesit put my regular email over quota quite fast ... which is why I posted

I did detect a simple pattern: in the subject header,
the word SUBJECT is like that--all caps.

Once I noticed that it was a simple matter to filter
them out.

-- 
Wes Groleau
   ----
   The man who reads nothing at all is better educated
   than the man who reads nothing but newspapers.
                             -- Thomas Jefferson

Re: Current "Swen" worm attack

[Wes Groleau]

chris wrote:
> copies.  Reports say spam will be helped by the verisign fiasco, though 
> I'm not sure why.  I wonder if it will help worms like this spread? 

There are folks who reject mail connections
with bogus domain names.  thanks to Verisign,
ALL strings that end in .com reverse DNS to
an IP address, a lot fewer spams will be rejected
by sites that use that filtering method.

By the way, Verisign is STILL doing that!

-- 
Wes Groleau
Heroes, Heritage, and History
http://freepages.genealogy.rootsweb.com/~wgroleau/

Re: Current "Swen" worm attack

[David Marceau]

I got around 200 spam in the last two days and my mailbox at the isp hit
the maximum capacity and started rejecting good emails.  
This is the biggest spam-tsunami I have experienced.

If I had a $$$static ip/hostname/mail server at home, I would preferably
do the server-side filtering myself through the open source spam
filtering tools that already exist.  As it stands, I am presently forced
to configure a spam-filter plug-in into my mail client.

Spam-removal plug-ins for mail clients and server-side spam-removal
services will certainly have their demand increase.  
Since it seems there isn't enough spam filtering being done out there
with the other developer languages at the mail server(both send&receive)
end of things, maybe an ada eager-beaver would like to jump on an
opportunity to increase the ada95 exposure through ada-based mail
applications and show them out it should be done.

Cheers,
David Marceau

Re: Current "Swen" worm attack

[Preben Randhol]

On 2003-09-22, Randy Brukardt <randy@rrsoftware.com> wrote:
> But a couple more attacks and we're all going back to paper and pencil...

Not for me. Linux is my paper and pencil ;-)

Preben

Re: Current "Swen" worm attack - a tip

[Preben Randhol]

On 2003-09-23, Wes Groleau <groleau@freeshell.org> wrote:
> Stephane Richard wrote:
>> in my case (100 of them per hour)....all ranging from "undeliverable
>> message", to "Security updates", to whatever else there could be...."Report
>> from Admin", "Letter", you name it...all different Fromline to Subject
>> linesit put my regular email over quota quite fast ... which is why I posted
>
> I did detect a simple pattern: in the subject header,
> the word SUBJECT is like that--all caps.

No, but the exe files incuded are mainly the same. I think there are 3
different exe files so just take one line from the base64 encoding and
delete any mail containing it. Of course there is a slight slight risk
that another e-mail could have an attachment that could give the same
line, but it is not very likely.

> Once I noticed that it was a simple matter to filter
> them out.

I have found that the baysian filtering is very good when you have
taught it what is spam and what is not. It takes a bit effort in the
beginning, but now I get about 40-50 spams a day and I have some 5-7
mailinglists and it filters all for me into correct folders. Sometimes a
spam ends in the wrong place, but then it is simply (for me) to press a
key and it is relearnt as spam and moved into that folder.

I have heard talk that the naive baysian statisical methods used could
be improved and other statistical methods might do better, however there
has not been an implementation yet. So if anybody here knows statistics
it is a nice chance to make a killer spam filter :-)

Preben

Re: Current "Swen" worm attack

[Vinzent Hoefler]

Randy Brukardt wrote:

>But a couple more attacks and we're all going back to paper and pencil...

Back? It's my main debugger. :-)


Vinzent.

Re: Current "Swen" worm attack

[Jeff C,]

"David Marceau" <davidmarceau@sympatico.ca> wrote in message
news:3F6FC7D4.3949160D@sympatico.ca...
> I got around 200 spam in the last two days and my mailbox at the isp hit
> the maximum capacity and started rejecting good emails.
> This is the biggest spam-tsunami I have experienced.
>
> If I had a $$$static ip/hostname/mail server at home, I would preferably
> do the server-side filtering myself through the open source spam
> filtering tools that already exist.  As it stands, I am presently forced
> to configure a spam-filter plug-in into my mail client.

Another solution (the one I just implemented) is to set up a linux box with
a combination of fetchmail (to go download messages from your ISP popmailbox
at a fixed periodic rate) and IMAP (linux side POP3 mail server).

Then just continue using whatever you are using to check your mail but have
it
point to the Linux pop box.. This way, you don't need a static connection
but
you keep your ISP POP mailbox from filling up..The other reason this
approach
is nice is that it does not require you to open any additional (or any at
all) incoming ports
on your firewall since you are still using "pull" to get your mail.

I completed the above steps last night.

Tonight I hope to add some filtering on the Linux side so I can also stop
seeing these
messages...but at least I can get regular email again.

Re: Current "Swen" worm attack

[Ludovic Brenta]

"Jeff C," <nolongersafeto@userealemailsniff.com> writes:

> "David Marceau" <davidmarceau@sympatico.ca> wrote in message
> news:3F6FC7D4.3949160D@sympatico.ca...
> > I got around 200 spam in the last two days and my mailbox at the isp hit
> > the maximum capacity and started rejecting good emails.
> > This is the biggest spam-tsunami I have experienced.
> >
> > If I had a $$$static ip/hostname/mail server at home, I would preferably
> > do the server-side filtering myself through the open source spam
> > filtering tools that already exist.  As it stands, I am presently forced
> > to configure a spam-filter plug-in into my mail client.
> 
> Another solution (the one I just implemented) is to set up a linux
> box with a combination of fetchmail (to go download messages from
> your ISP popmailbox at a fixed periodic rate) and IMAP (linux side
> POP3 mail server).
> 
> Then just continue using whatever you are using to check your mail
> but have it point to the Linux pop box.. This way, you don't need a
> static connection but you keep your ISP POP mailbox from filling
> up..The other reason this approach is nice is that it does not
> require you to open any additional (or any at all) incoming ports on
> your firewall since you are still using "pull" to get your mail.
> 
> I completed the above steps last night.
> 
> Tonight I hope to add some filtering on the Linux side so I can also
> stop seeing these messages...but at least I can get regular email
> again.

I have an additional requirement.  Not only I want to prevent my
mailbox from filling up, but I also do not want to download all of
these emails, because with the sheer volume I'm getting (about 200
spams a day), I'd blow up my download quota.  This means I do not want
to do the filtering on the client (which I was doing in gnus), but I
want to do it on the server before my client downloads the emails.

So, today, I wrote an Ada program that does all that.  It's about 550
SLOC in Ada, and uses libspopc to do the POP3 client stuff (and yes, I
wrote a thick binding to it).  I also used a couple of generic
containers from Charles.

My solution uses POP3 to download just the headers of all mails, and
delete those that match a set of regular expressions.  These regexes
come directly from my ~/.emacs file, so that the server-side filtering
uses the same rules as the client-side one.

I ran it today and it deleted about 200 spams that had accumulated
over 14 hours.  Now I will never even have to download their contents
:)

I'm planning to run this jewel of a little program in a cron job every
2 minutes or so.  BTW, here are a few regexps that get most of these
spams for me:

(setq nnmail-split-methods 
        ;; Lots of filtering and shuffling about...
	("misc.spam" "antiv@univ-lyon1.fr")
	("misc.spam" "^From: $")
	("misc.spam" "From: Service .*")
	("misc.spam" "From: \"?Admin\"?|admin")
	("misc.spam" "From: administrator")
	("misc.spam" "From:.*Delivery.*")
	("misc.spam" "From:.*Internet Security.*")
	("misc.spam" "From: MS ")
	("misc.spam" "From: ms net message system")
	("misc.spam" "From: (M|m)icrosoft.*")
	("misc.spam" "From: Email System")
	("misc.spam" "From: inet storage service")
	("misc.spam" "From: (Inet|Internet) (Email |Mail )?Storage System")
	("misc.spam" "From: \"Network Mail System\"")
	("misc.spam" "From:.*Technical Services.*")
	("misc.spam" "From: (P|p)ostmaster")
	("misc.spam" "Subject:.*VIRUS.*")
	("misc.spam" "Subject:.*security.*patch.*")
	("misc.spam" "Subject:.*upgrade.*"))

And, of course, Mail/misc/spam is a symlink to /dev/null.

Anyone feel this is worth a project on Savannah or SourceForge?

-- 
Ludovic Brenta.

Re: Current "Swen" worm attack - a tip

[Jeffrey Carter]

Preben Randhol wrote:
> 
> I have found that the baysian filtering is very good when you have
> taught it what is spam and what is not. It takes a bit effort in the
> beginning, but now I get about 40-50 spams a day and I have some 5-7
> mailinglists and it filters all for me into correct folders. Sometimes a
> spam ends in the wrong place, but then it is simply (for me) to press a
> key and it is relearnt as spam and moved into that folder.
> 
> I have heard talk that the naive baysian statisical methods used could
> be improved and other statistical methods might do better, however there
> has not been an implementation yet. So if anybody here knows statistics
> it is a nice chance to make a killer spam filter :-)

I've long felt that a neural network should be able to learn to 
distinguish spam from real mail very accurately. The problem is figuring 
out a good way to represent a mail message to the network. I haven't had 
much success on that, but once you have that, training the network is 
simple.

-- 
Jeff Carter
"I've got to stay here, but there's no reason
why you folks shouldn't go out into the lobby
until this thing blows over."
Horse Feathers
50

Re: Current "Swen" worm attack - a tip

[Brian Catlin]

"Jeffrey Carter" <spam@spam.com> wrote in message
news:WD%bb.785$RW4.309@newsread4.news.pas.earthlink.net...
> Preben Randhol wrote:
> >
> > I have found that the baysian filtering is very good when you have
> > taught it what is spam and what is not. It takes a bit effort in the
> > beginning, but now I get about 40-50 spams a day and I have some 5-7
> > mailinglists and it filters all for me into correct folders. Sometimes a
> > spam ends in the wrong place, but then it is simply (for me) to press a
> > key and it is relearnt as spam and moved into that folder.
> >
> > I have heard talk that the naive baysian statisical methods used could
> > be improved and other statistical methods might do better, however there
> > has not been an implementation yet. So if anybody here knows statistics
> > it is a nice chance to make a killer spam filter :-)
>
> I've long felt that a neural network should be able to learn to
> distinguish spam from real mail very accurately. The problem is figuring
> out a good way to represent a mail message to the network. I haven't had
> much success on that, but once you have that, training the network is
> simple.

You might want to take a look at SpamPal (www.SpamPal.org).  While it doesn't
use a neural net, it has a RegEx and Bayesian filter module.  It sits between
your email client and the server and marks spam so your email client's rules can
dispose of the unwanted spam

 -Brian

> -- 
> Jeff Carter
> "I've got to stay here, but there's no reason
> why you folks shouldn't go out into the lobby
> until this thing blows over."
> Horse Feathers
> 50
>

Re: Current "Swen" worm attack

[Randy Brukardt]

"David Marceau" <davidmarceau@sympatico.ca> wrote in message
news:3F6FC7D4.3949160D@sympatico.ca...
> Spam-removal plug-ins for mail clients and server-side spam-removal
> services will certainly have their demand increase.
> Since it seems there isn't enough spam filtering being done out there
> with the other developer languages at the mail server(both send&receive)
> end of things, maybe an ada eager-beaver would like to jump on an
> opportunity to increase the ada95 exposure through ada-based mail
> applications and show them out it should be done.

Well, I'm already doing it for the IMS mail server. I've been giving away
the filter to other IMS users (it's community supported software), but of
course it only works there.

I'd replace the entire mail server, but it is too big a job to take on at
this time.

                Randy.

Re: Current "Swen" worm attack - a tip

[tmoran]

To take a few words from recent posts, how would various filtering
methods handle a message with subject line
"Re: Ada private modeling collection"

Re: Current "Swen" worm attack - a tip

[Berend de Boer]

>>>>> "Jeffrey" == Jeffrey Carter <spam@spam.com> writes:

    Jeffrey> I've long felt that a neural network should be able to
    Jeffrey> learn to distinguish spam from real mail very
    Jeffrey> accurately. The problem is figuring out a good way to
    Jeffrey> represent a mail message to the network. I haven't had
    Jeffrey> much success on that, but once you have that, training
    Jeffrey> the network is simple.

This approach was described by Paul Graham:

  http://www.paulgraham.com/spam.html

It has been used very successfully by a lot of products including my
own (http://www.pobox.com/~berend/emc/).

-- 
Regards,

Berend. (-:

Re: Current "Swen" worm attack

[Berend de Boer]

>>>>> "David" == David Marceau <davidmarceau@sympatico.ca> writes:

    David> I got around 200 spam in the last two days and my mailbox
    David> at the isp hit the maximum capacity and started rejecting
    David> good emails.  This is the biggest spam-tsunami I have
    David> experienced.

200 spam in two days? Man, I get 2000 a day!

-- 
Regards,

Berend. (-:

Re: Current "Swen" worm attack

[Jeff C,]

"Ludovic Brenta" <ludovic.brenta@insalien.org> wrote in message
news:m3k77zcy0w.fsf@insalien.org...
>
> I have an additional requirement.  Not only I want to prevent my
> mailbox from filling up, but I also do not want to download all of
> these emails, because with the sheer volume I'm getting (about 200
> spams a day), I'd blow up my download quota.  This means I do not want
> to do the filtering on the client (which I was doing in gnus), but I
> want to do it on the server before my client downloads the emails.
>
> So, today, I wrote an Ada program that does all that.  It's about 550
> SLOC in Ada, and uses libspopc to do the POP3 client stuff (and yes, I
> wrote a thick binding to it).  I also used a couple of generic
> containers from Charles.
>
> My solution uses POP3 to download just the headers of all mails, and
> delete those that match a set of regular expressions.  These regexes
> come directly from my ~/.emacs file, so that the server-side filtering
> uses the same rules as the client-side one.
>
> I ran it today and it deleted about 200 spams that had accumulated
> over 14 hours.  Now I will never even have to download their contents
> :)
>
stuff deleted
>
> Anyone feel this is worth a project on Savannah or SourceForge?
>
> -- 
> Ludovic Brenta.

Depends.. At the very least the bindings are worth a project. If you
think/expect you would
continue to update the rest of it then the whole thing should probably be a
project.

Re: Current "Swen" worm attack

[Martin Krischik]

Ludovic Brenta wrote:

> Anyone feel this is worth a project on Savannah or SourceForge?

Shure it is.

With Regards

Martin
-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Current "Swen" worm attack - a tip

[Dmitry A. Kazakov]

On Tue, 23 Sep 2003 17:44:22 GMT, Jeffrey Carter <spam@spam.com>
wrote:

>Preben Randhol wrote:
>> 
>> I have found that the baysian filtering is very good when you have
>> taught it what is spam and what is not. It takes a bit effort in the
>> beginning, but now I get about 40-50 spams a day and I have some 5-7
>> mailinglists and it filters all for me into correct folders. Sometimes a
>> spam ends in the wrong place, but then it is simply (for me) to press a
>> key and it is relearnt as spam and moved into that folder.
>> 
>> I have heard talk that the naive baysian statisical methods used could
>> be improved and other statistical methods might do better, however there
>> has not been an implementation yet. So if anybody here knows statistics
>> it is a nice chance to make a killer spam filter :-)
>
>I've long felt that a neural network should be able to learn to 
>distinguish spam from real mail very accurately.

It won't.

>The problem is figuring 
>out a good way to represent a mail message to the network.

Right. It is a well known problem of machine learning. To apply any
learning techinque, you have to have features. These features have to
be good, very good. For example, the feature, "number of repetitions
of a given word in a text" is a very bad feature if spammer generates
messages randomly with a big dictionary.

But features appearing good to us, humans, may be bad for the chosen
method. For example, the most of statistical methods require
statistically independent features. It is easy to build a feature
space where well distinguishable classes will never be separated by a
neural network, etc.

>I haven't had 
>much success on that, but once you have that, training the network is 
>simple.

Once you have good features. Surely.

BTW, it looks that it is over. Since yesterday I am receiving no more
spam (of this art). Is that because MS is closing that chats?

---
Regards,
Dmitry Kazakov
www.dmitry-kazakov.de

Re: Current "Swen" worm attack - a tip

[Wes Groleau]

Dmitry A. Kazakov wrote:
> BTW, it looks that it is over. Since yesterday I am receiving no more
> spam (of this art). Is that because MS is closing that chats?

I got one around midnight last night (Indiana time)
My filters block 100% except on one address, which
was getting two or three a day.

-- 
Wes Groleau
When all you have is a perl, everything looks like a string.

Re: Current "Swen" worm attack

[Ludovic Brenta]

Martin Krischik <krischik@users.sourceforge.net> writes:

> Ludovic Brenta wrote:

[description of my spam killer program]

> > Anyone feel this is worth a project on Savannah or SourceForge?
> 
> Shure it is.
> 
> With Regards
> 
> Martin

I think I'll go ahead and create a project, but I'll be a bit more
ambitious than that.

First, I'd like to port libspopc (the POP3 client library) to Ada, and
integrate that into an existing library.  I think Libra
(http://nongnu.org/libra) on Savannah is a good candidate.  Then, I'll
create a new project for the spam killer itself and use that library.

Comments?

-- 
Ludovic Brenta.

Re: Current "Swen" worm attack

[Martin Krischik]

Ludovic Brenta wrote:

> Martin Krischik <krischik@users.sourceforge.net> writes:
> 
>> Ludovic Brenta wrote:
> 
> [description of my spam killer program]
> 
>> > Anyone feel this is worth a project on Savannah or SourceForge?
>> 
>> Shure it is.
>> 
>> With Regards
>> 
>> Martin
> 
> I think I'll go ahead and create a project, but I'll be a bit more
> ambitious than that.
> 
> First, I'd like to port libspopc (the POP3 client library) to Ada, and
> integrate that into an existing library.  I think Libra
> (http://nongnu.org/libra) on Savannah is a good candidate. 
> Then, I'll
> create a new project for the spam killer itself and use that library.

The link does not work!?

> Comments?

Yes: create a project first. I know that there are a lot of dead projects on
i.E. SoureForge but the source of them is not lost. Others allways can take
over.

With Regards

Martin
-- 
mailto://krischik@users.sourceforge.net
http://www.ada.krischik.com

Re: Current "Swen" worm attack

[Preben Randhol]

On 2003-09-25, Ludovic Brenta <ludovic.brenta@insalien.org> wrote:
>
> I think I'll go ahead and create a project, but I'll be a bit more
> ambitious than that.
>
> First, I'd like to port libspopc (the POP3 client library) to Ada, and
> integrate that into an existing library.  I think Libra
> (http://nongnu.org/libra) on Savannah is a good candidate.  Then, I'll
> create a new project for the spam killer itself and use that library.

Libra? I get a 404 when I try to access that page.

Sounds like a nice project. Later maybe you add IMAP support too? 

Preben

Re: Current "Swen" worm attack

[Ludovic Brenta]

Preben Randhol <randhol+abuse@pvv.org> writes:

> On 2003-09-25, Ludovic Brenta <ludovic.brenta@insalien.org> wrote:
> >
> > I think I'll go ahead and create a project, but I'll be a bit more
> > ambitious than that.
> >
> > First, I'd like to port libspopc (the POP3 client library) to Ada, and
> > integrate that into an existing library.  I think Libra
> > (http://nongnu.org/libra) on Savannah is a good candidate.  Then, I'll
> > create a new project for the spam killer itself and use that library.
> 
> Libra? I get a 404 when I try to access that page.

Sorry: http://www.nongnu.org/libra/

> Sounds like a nice project. Later maybe you add IMAP support too? 
> 
> Preben

Yes, maybe.  SMTP is already in there, both client and server.

-- 
Ludovic Brenta.

Re: Current "Swen" worm attack

[Stephen Leake]

Ludovic Brenta <ludovic.brenta@insalien.org> writes:

> I think I'll go ahead and create a project, but I'll be a bit more
> ambitious than that.
> 
> First, I'd like to port libspopc (the POP3 client library) to Ada, and
> integrate that into an existing library.  I think Libra
> (http://nongnu.org/libra) on Savannah is a good candidate.  Then, I'll
> create a new project for the spam killer itself and use that library.

In general, I support the idea of integrating new features into
existing libraries; it makes them easier to use when you need the
other stuff in the bigger library.

However, the url you gave appears to not be valid (I get error 404);
please check?

-- 
-- Stephe

Re: Current "Swen" worm attack

[sk]

me :

 > <RANT> ... </RANT>

http://theregister.co.uk/content/4/33199.html

  o o
   |
  \_/

-- 
-------------------------------------------------
-- Merge vertically for real address
--
--     s n p @ t . o
--      k i e k c c m
-------------------------------------------------

Re: Current "Swen" worm attack

[Preben Randhol]

On 2003-10-03, sk <noname@myob.com> wrote:
> http://theregister.co.uk/content/4/33199.html

Finally.

Preben