[linux-elitists] dealing with Swen

Steven Critchfield le@drunkenlogic.com
Thu Sep 25 11:46:47 PDT 2003


On Tue, 2003-09-23 at 13:13, Geoff Lane wrote:
> Much as I hate to do it, if accepting and /dev/null'ing 200Mb of trash email
> a day helps, that's what I'll do (I'm on a wires only, unmetered ASDL line
> so it's not much of a hardship. But I really want to LART _somebody_.)

While looking over some of these mails, I'm not sure that the
Return-path of this virus isn't appropriate. On a few that I have spot
checked, If you take the return path and check who the mail exchanger
is, you will find it is the same as the SMTP that forwarded the mail
along, or at least in the same domain as to suggest it is the same group
of machines.

This is the line I used to check the distribution of the email addresses
in the return path address. The base64 is the 5th line of the virus and
seems unique to swen.

grep -l 
'AAAAAAAAAADgAA8BCwEGAADQAAAAQAEAAAAAAIWuAAAAEAAAAOAAAAAAQAAAEAAAABAAAAQAAAAA' *|xargs grep -h Return-path|sort|uniq -c|sort -r


I'll agree with the normal behavior should be to not bounce messages.
But this may be one where notification might be a good thing.   





More information about the linux-elitists mailing list