[Esd-l] SWEN identifier: TO/FROM/SUBJECT
John D. Hardin
jhardin at impsec.org
Wed Sep 24 05:51:57 PDT 2003
On Wed, 24 Sep 2003, Scott Taylor wrote:
> On Tue, 23 Sep 2003, John Downing wrote:
>
> >
> > The uppercase TO/FROM/SUBJECT headers are NOT an "if and only if" marker
> > for the swen worm. I have quarantined email with swen attachments that have
> > both normal and all uppercase headers.
>
> Same here. However, the attachment always starts with "TVqQAAMAAAAEAAAA".
Standard Windows Executable first few bytes.
> Although, I fail to see what difference it makes as John's Sanitizer rules
> pick it up every time.
Yeah, but it'd be nice to have a local rule so that we can selectively
DISCARD NONOTIFY and stop being hounded by the alerts...
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
43 days until Matrix Revolutions
More information about the esd-l
mailing list