[Esd-l] SWEN identifier: TO/FROM/SUBJECT

Kenneth Porter shiva at sewingwitch.com
Wed Sep 24 14:03:10 PDT 2003


--On Tuesday, September 23, 2003 5:53 PM -0600 Brett Glass <brett at lariat.org>
wrote:

> At 01:06 PM 9/22/2003, Kenneth Porter wrote:
>   
>> Based on observations in comp.mail.sendmail and looking at my growing
>> collection of defanged SWEN messages, it looks very consistent in one trait:
>> The From, To, and Subject headers are all present and *all upper case*.
> 
> Yes, this is a defining trait of the Swen worm. I'd use it to filter if I
> were sure that the filter wouldn't catch innocent messages.

Anyone know of legitimate MUA's that upper-case these header names?

I figure I'll just silently discard those executables that match this pattern,
and then quarantine executables without, and this pattern without executables.


More information about the esd-l mailing list