SWEN-filter - Getting rid of the fake Microsoft HTML-mails and fakedreturned mail messages

[Veronica Loell]

See http://nakawe.sf.net/MMM3 for more information.

Filter:
#====================================================================#
#-- PROGRAM ------: SWEN-virus-spam filter for Magic Mail Monitor 3
#-- (http://mmm3.sf.net) The current rule-file can be
#-- found at http://nakawe.sf.net/MMM3
#-- FILENAME -----: swen-regler5.txt
#-- VERSION ------: 5
#-- DESCRIPTION --: This file describes the rules in SWEN-smartast.magic
#-- COPYRIGHT ----: This document is placed in the public domain
#-- AUTHOR -------: Veronica Loell (e-mail address removed)
#-- FILE CREATED -: 2003-09-26 21:57
#-- LAST CHANGED -: 2003-09-28 06:44
#====================================================================#
Changes in Ver. 5:
Added rule: Att24
Changed /Content-Type: audio/x-wav;/ to /Content-Type: audio/x-*;/
#====================================================================#

Rules in SWEN-smartast.magic Ver. 5
-----
Fake HTML-email:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
The month and year in the text is the system date of the infected computer.
September 2003
January 1998
-----
fakeHTML1 *"* *, Cumulative Patch" update which resolves*'
OR *"* *, Cumulative Patch" update which updates*

fakeHTML2 *"* *, Cumulative Patch" update which eliminates*
OR *"* *, Cumulative Patch" update which fixes*

-----
Fake returned mail with attachment:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
* I have seen the following attachments
*.zip
*.com
*.exe
Content-Type: audio/x-wav
Content-Type: audio/x-midi

-----
Att1 <Header> Equals '*Content-Type: audio/x-*; name=*.ade*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.adp*'

Att2 <Header> Equals '*Content-Type: audio/x-*; name=*.asx*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.bas*'

Att3 <Header> Equals '*Content-Type: audio/x-*; name=*.bat*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.chm*'

Att4 <Header> Equals '*Content-Type: audio/x-*; name=*.cmd*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.com*'

Att5 <Header> Equals '*Content-Type: audio/x-*; name=*.cpl*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.crt*'

Att6 <Header> Equals '*Content-Type: audio/x-*; name=*.dbx*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.exe*'

Att7 <Header> Equals '*Content-Type: audio/x-*; name=*.hlp*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.hta*'

Att8 <Header> Equals '*Content-Type: audio/x-*; name=*.inf*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.ins*'

Att9 <Header> Equals '*Content-Type: audio/x-*; name=*.isp*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.js*'

Att10 <Header> Equals '*Content-Type: audio/x-*; name=*.jse*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.lnk*'

Att11 <Header> Equals '*Content-Type: audio/x-*; name=*.mda*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.mdb*'

Att12 <Header> Equals '*Content-Type: audio/x-*; name=*.mde*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.mdz*'

Att13 <Header> Equals '*Content-Type: audio/x-*; name=*.mht*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.msc*'

Att14 <Header> Equals '*Content-Type: audio/x-*; name=*.msi*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.msp*'

Att15 <Header> Equals '*Content-Type: audio/x-*; name=*.mst*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.nch*'

Att16 <Header> Equals '*Content-Type: audio/x-*; name=*.pcd*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.pif*'

Att17 <Header> Equals '*Content-Type: audio/x-*; name=*.prf*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.reg*'

Att18 <Header> Equals '*Content-Type: audio/x-*; name=*.sct*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.shb*'

Att19 <Header> Equals '*Content-Type: audio/x-*; name=*.shs*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.url*'

Att20 <Header> Equals '*Content-Type: audio/x-*; name=*.vb*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.vbe*'

Att21 <Header> Equals '*Content-Type: audio/x-*; name=*.vbs*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.wms*'

Att22 <Header> Equals '*Content-Type: audio/x-*; name=*.wsc*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.wsf*'

Att23 <Header> Equals '*Content-Type: audio/x-*; name=*.wsh*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.zip*'

Att24 <Header> Equals '*Content-Type: audio/x-*; name=*.scf*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.scr*'

 

[Knack]

See http://nakawe.sf.net/MMM3 for more information.

I just tested that Magic Mail Monitor utility. No good. It wasn't able to
resolve the host name of my Earthlink incoming mail server. Every 10 minutes it
polls the host name that I set it for, but it reports "Invalid host!"

BTW, I checked and rechecked the spelling of the Earthlink POP3 server host
name.

 

[Veronica Loell]

Stupid question but you did unpack the utility before running it?

Knack wrote / skrev:

 

[Knack]

It's working pretty good folks. I didn't have Zone Alarm set to allow Magic Mail
Monitor (MMM) access to the Internet. Once I enabled Zone Alarm for MMM, the "invalid
host" error disappeared and all the headers on the mail server appeared.

There were over 40 new SwenA spams and worms collecting in my mail account over the
past 12 hours. I got rid of them very quickly with MMM.

A nice feature of MMM is that you can set it to display an adjustable number of
message lines with each header, so that you can make a more informed decision about
whether or not to delete the entire message from the mail server.

If you don't wish to inspect all of the message headers on the mail server and
manually delete the spam and virus/worm messages with MMM, it also has a filter that
you can set to automatically delete various no-pass messages from the server.

 

[Knack]

The "invalid host" problem has reappeared again; even after ZoneAlarm is set
to permit access to the Inbternet for Magic Mail Monitor (MMM); even after I
shut down ZoneAlarm. Don't know why it worked before (for a short time).

A valuable feature of the current version of MMM is that it can be set to
inspect an adjustable number of message lines. I've gotten some Swen worm
mail without message headers; making it impossible to filter with OE6.
However, that would not be a problem for MMM,

 

[Veronica Loell]

Knack wrote / skrev:

The "invalid host" problem has reappeared again; even after ZoneAlarm is set
to permit access to the Inbternet for Magic Mail Monitor (MMM); even after I
shut down ZoneAlarm. Don't know why it worked before (for a short time).

A valuable feature of the current version of MMM is that it can be set to
inspect an adjustable number of message lines. I've gotten some Swen worm
mail without message headers; making it impossible to filter with OE6.
However, that would not be a problem for MMM,

First off. NEVER shut down zonealarm! I am using it and simply giving
mmm permission is enough.
Second, make sure that "Generic host process for win32" and "services
and controller" have internet access. I'm using w2k so perhaps this is
not the same for other windows versions.

- Veronica Loell

 

[James Egan]

First off. NEVER shut down zonealarm! I am using it and simply giving
mmm permission is enough.

Nonsense!

Shutting it down is not even enough. It needs to be completely
uninstalled to be certain that it is not causing the problem.

If the problem remains after it is uninstalled then you can safely
reinstall it.

Note that simply running the uninstaller isn't enough. The zonelabs
website contains instructions on completing a satisfactory uninstall.


Jim.

 

[Knack]

Nonsense!

Shutting it down is not even enough. It needs to be completely
uninstalled to be certain that it is not causing the problem.

If the problem remains after it is uninstalled then you can safely
reinstall it.

Note that simply running the uninstaller isn't enough. The zonelabs
website contains instructions on completing a satisfactory uninstall.

I just found the cause of that problem. MMM3 normally has to be started
after an
Internet connection is established. If MMM3 is started first, and an
Internet connection is made afterward, then MMM3 cannot resolve the host
name; that is, if
the server's host name is entered. However if the mail server's IP address
is entered instead of its
host name, then it doesn't matter whether or not an Internet connection was
made before starting MMM3; MMM3 will still eventually be able to connect to
the mail server. So unless one has a cable or DSL Internet connection, I
recommend that all other users enter their mail server's IP address instead
of a host name.

~~~ ~~~ ~~~

New problem; very bad. When I set MMM3 for 'Use filter automatically' it
deletes *everything* on the server in my account; not just the messages that
don't pass the enabled filter(s). I guess I'll post a bug report for MMM3 at
www.sourceforge.net

 

[Veronica Loell]

Knack wrote / skrev:

New problem; very bad. When I set MMM3 for 'Use filter automatically' it
deletes *everything* on the server in my account; not just the messages that
don't pass the enabled filter(s). I guess I'll post a bug report for MMM3 at
www.sourceforge.net

Yeah you should do that. I have not had that problem, I use the
automatic filter application constantly.

- Veronica Loell