[Esd-l] SWEN identifier: TO/FROM/SUBJECT

Brett Glass brett at lariat.org
Tue Sep 23 16:53:28 PDT 2003


At 01:06 PM 9/22/2003, Kenneth Porter wrote:
  
>Based on observations in comp.mail.sendmail and looking at my growing
>collection of defanged SWEN messages, it looks very consistent in one trait:
>The From, To, and Subject headers are all present and *all upper case*.

Yes, this is a defining trait of the Swen worm. I'd use it to filter if I
were sure that the filter wouldn't catch innocent messages.

Has anyone developed a good recipe that identifies Swen? It'd be fine
for it to use the trait mentioned above, but I'd like it to use at least
one OTHER criterion, too.

--Brett



More information about the esd-l mailing list