[Esd-l] SWEN identifier: TO/FROM/SUBJECT
Kenneth Porter
shiva at sewingwitch.com
Wed Sep 24 14:03:10 PDT 2003
--On Tuesday, September 23, 2003 5:53 PM -0600 Brett Glass <brett at lariat.org>
wrote:
> At 01:06 PM 9/22/2003, Kenneth Porter wrote:
>
>> Based on observations in comp.mail.sendmail and looking at my growing
>> collection of defanged SWEN messages, it looks very consistent in one trait:
>> The From, To, and Subject headers are all present and *all upper case*.
>
> Yes, this is a defining trait of the Swen worm. I'd use it to filter if I
> were sure that the filter wouldn't catch innocent messages.
Anyone know of legitimate MUA's that upper-case these header names?
I figure I'll just silently discard those executables that match this pattern,
and then quarantine executables without, and this pattern without executables.
More information about the esd-l
mailing list