[Esd-l] SWEN identifier: TO/FROM/SUBJECT
Brett Glass
brett at lariat.org
Tue Sep 23 16:53:28 PDT 2003
At 01:06 PM 9/22/2003, Kenneth Porter wrote:
>Based on observations in comp.mail.sendmail and looking at my growing
>collection of defanged SWEN messages, it looks very consistent in one trait:
>The From, To, and Subject headers are all present and *all upper case*.
Yes, this is a defining trait of the Swen worm. I'd use it to filter if I
were sure that the filter wouldn't catch innocent messages.
Has anyone developed a good recipe that identifies Swen? It'd be fine
for it to use the trait mentioned above, but I'd like it to use at least
one OTHER criterion, too.
--Brett
More information about the esd-l
mailing list