[Esd-l] SWEN identifier: TO/FROM/SUBJECT
brett at lariat.org
Tue Sep 23 16:53:28 PDT 2003
At 01:06 PM 9/22/2003, Kenneth Porter wrote:
>Based on observations in comp.mail.sendmail and looking at my growing
>collection of defanged SWEN messages, it looks very consistent in one trait:
>The From, To, and Subject headers are all present and *all upper case*.
Yes, this is a defining trait of the Swen worm. I'd use it to filter if I
were sure that the filter wouldn't catch innocent messages.
Has anyone developed a good recipe that identifies Swen? It'd be fine
for it to use the trait mentioned above, but I'd like it to use at least
one OTHER criterion, too.
More information about the esd-l