[Esd-l] SWEN identifier: TO/FROM/SUBJECT
John D. Hardin
jhardin at impsec.org
Wed Sep 24 05:54:46 PDT 2003
On Tue, 23 Sep 2003, Brett Glass wrote:
> At 01:06 PM 9/22/2003, Kenneth Porter wrote:
>
> >Based on observations in comp.mail.sendmail and looking at my growing
> >collection of defanged SWEN messages, it looks very consistent in one trait:
> >The From, To, and Subject headers are all present and *all upper case*.
>
> Yes, this is a defining trait of the Swen worm. I'd use it to
> filter if I were sure that the filter wouldn't catch innocent
> messages.
>
> Has anyone developed a good recipe that identifies Swen? It'd be
> fine for it to use the trait mentioned above, but I'd like it to
> use at least one OTHER criterion, too.
Three other telltales:
100KB - 160KB in size (has anybody seen one outside this size range?)
multiple image attachments
executable attachment
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
43 days until Matrix Revolutions
More information about the esd-l
mailing list