If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#11
|
|||
|
|||
That's why I started the reply with "AND".
-- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "Strontium" wrote in message news Right. That's the 'from' and 'to' lines. Not the body of the message. It also gets email addresses from the body, using the .dbx files. I feel for all those, out there, that are naive enough to even post to usenet with a real address. I learned my lesson, 5yrs ago, after getting 5-10 spams a day after just one post with my real email address. Switched ISP's and stopped using real address. I don't get spam. - Phil Weldon stood up at show-n-tell, in t, and said: AND "The worm also can search for e-mail addresses in various newsgroups. It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets e-mail addressed after them and writes them to the GERMS0.DBV file. This way the worm can harvest a lot of e-mail addresses to send itself to." (From FSecure at http://www.f-secure.com/v-descs/swen.shtml .) "Strontium" wrote in message ... It gets them from the *.dbx files. - Phil Weldon stood up at show-n-tell, in , and said: Not exactly; I believe the 'swen' worm get the e-mail addresses directly from the newsgroup postings. I open another new mailbox, posted ONCE to alt.comp.hardware.overclocking, and then killed that newsreader account, but kept the mailbox. It took 17 minutes for the first 'swen-mail' to arrive at that mailbox. "Triffid" wrote in message ... Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo |
#12
|
|||
|
|||
Sheesh;
Maybe, maybe not. Probably not. The 'swen' worm also gets the e-mail addresses off the news servers. "The worm also can search for e-mail addresses in various newsgroups. It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets e-mail addressed after them and writes them to the GERMS0.DBV file. This way the worm can harvest a lot of e-mail addresses to send itself to." (From FSecure at http://www.f-secure.com/v-descs/swen.shtml .) -- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "Triffid" wrote in message ... Not exactly; I believe the 'swen' worm get the e-mail addresses directly from the newsgroup postings. How do you suppose it does that? There is no evidence of the worm connecting to news servers and reading headers. It doesn't, it waits for the infected user to run his newsreader, scoops addresses from the headers (via files created by the newsreader), and adds them to it's list of targets. I open another new mailbox, posted ONCE to alt.comp.hardware.overclocking, and then killed that newsreader account, but kept the mailbox. It took 17 minutes for the first 'swen-mail' to arrive at that mailbox. Exactly. 17 minutes until an infected user read your post. -- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "Triffid" wrote in message ... Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. |
#13
|
|||
|
|||
You're an anal little bitch, aren't you?
- Phil Weldon stood up at show-n-tell, in t, and said: That's why I started the reply with "AND". "Strontium" wrote in message news Right. That's the 'from' and 'to' lines. Not the body of the message. It also gets email addresses from the body, using the .dbx files. I feel for all those, out there, that are naive enough to even post to usenet with a real address. I learned my lesson, 5yrs ago, after getting 5-10 spams a day after just one post with my real email address. Switched ISP's and stopped using real address. I don't get spam. - Phil Weldon stood up at show-n-tell, in t, and said: AND "The worm also can search for e-mail addresses in various newsgroups. It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets e-mail addressed after them and writes them to the GERMS0.DBV file. This way the worm can harvest a lot of e-mail addresses to send itself to." (From FSecure at http://www.f-secure.com/v-descs/swen.shtml .) "Strontium" wrote in message ... It gets them from the *.dbx files. - Phil Weldon stood up at show-n-tell, in , and said: Not exactly; I believe the 'swen' worm get the e-mail addresses directly from the newsgroup postings. I open another new mailbox, posted ONCE to alt.comp.hardware.overclocking, and then killed that newsreader account, but kept the mailbox. It took 17 minutes for the first 'swen-mail' to arrive at that mailbox. "Triffid" wrote in message ... Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo |
|
Thread Tools | |
Display Modes | |
|
|