[SWEN tiny FAQ] How to filter Swen mails with M$OE 6

[Thore Schmechtig]

Greetings,

since Swen.A first appeared in the wild around September 18th 2003,
many people have asked how to filter the emails Swen wildly sends to
just about everyone who ever posted in any newsgroup. It's a bit
tricky, at first glance it seems impossible, but it can be done.

Here's how.

Swen emails unfortunately differ in From-, To- and Subject-field, but
you will always find your own valid email-address in the
Envelope-to-field of the email's header. OE unfortunately is unable to
filter emails by the Envelope-to-content, but this doesn't matter. If
you read the above carefully you see that:

Every email that arrives in your inbox and does NOT have your valid
email address in the To- or CC-field is almost guaranteed to be a
Swen-mail (exceptions see below).

To filter them out, do the following (tested with OE 6, earlier
versions may need a slightly different process):



*** BEGIN ***



(Thanks to Phil who helped me with using the correct English names as I
use the German version of OE - the following is a quote from his email)

Open the email rules: Tools\Message Rules\Mail

Create a new rule.

In the first window (Select the conditions for your rule) select the
following:
-Where the To line contains people
-Where the CC line contains people

In the second window (Select the Actions for your rule) select the
following:
-Delete it from server

In the third window (Rule Description...)
-Click on "contains people" and enter your email address, then click on
"Add"
-Your email has now been added, select the email address and click on
"Options"
-Select the second radio button "Message does not contain the people
below"
then "OK" to close.

(end quote from Phil)



*** END ***



Presto - you're done! OE will still have to download the _header_ data,
but not the message body with its 150K worm executable. Ergo you have
much less problems.

NOTE THE FOLLOWING:

Mailing lists - at least all lists I know - use a very similar
procedure to send their contents to you, inserting your valid address
in the Envelope-to-field and the basic email address of the list in the
To-field, along with usually adding a list-typical string to the
subject. Obviously this will create false positives with the
above-mentioned email rule that would delete the list messages along
with Swen.
Therefore, if you participate in mailing lists, I suggest you do the
following:



*** BEGIN ***



If you haven't done so until now, create an extra folder for each of
your lists.

Create one email rule for each of your lists with the following:

Subject contains the list-typical string, To-field contains the basic
list email address
Actions to take: Move to the folder created for that list, do not
process any more rules for that mail.

Move all these rules to somewhere ABOVE the rule that deletes
Swen-mails from the server.

(For the details on doing all this, see the description of the
Swen-filtering rule above)



*** END ***



That way, your mailing list messages will be moved to their own folders
while the pesky Swen mails will die while still on your provider's
server.

Hope to have helped...

Tocis (commoner AT carcosa DOT de)
To reply, include HI-AK 523 in the subject or else your mail will be
deleted!

 

[Bill]

Every email that arrives in your inbox and does NOT have your valid
email address in the To- or CC-field is almost guaranteed to be a
Swen-mail (exceptions see below).

I pointed that out a couple of days ago and someone ( I don't remember
who) indicated that it doesn'twork, which is nonsense as it has
eliminated 100% of Swen from my mailbox. However, I am filtering at
the server level which means I don't have to download them to keep
them from filling up my message queue. Yes, it does work and it
doesn't delete legitimate mail from individuals. Incidently, whe
dropping my filter for a few hours to test I have noticed a sizable
decrease in Swen mail. Only 75 in an 8 hour period.

 

[John]

Bill,

I don't fully understand what you mean by "I am filtering at the server
level" or how one does that. There have been some posts that say OE has to
download the e-mail before it can take action. Could you explain how you
have your OE filter set up? Thanks!

 

[Bill]

I don't fully understand what you mean by "I am filtering at the server
level" or how one does that.

Some ISP's and/or email services have filters on the server that users
can adjust to their own needs, which means you don't have to download
junk. The mail is filtered before it ever gets to OE.

 

[Ian.H]

I don't fully understand what you mean by "I am filtering at the server
level" or how one does that.

John,

For example, I coded a Perl filtering system as a kind of procmail
replacement (again, another server filtering system). When a mail is sent
to my address, it runs through my filter script and acts accordingly,
before it's ever delivered to my actual mailbox. To make this flexible for
all users, I'm integrating it with a database backend where users will be
able to add / edit / delete their own rules for before mail ever reaches
their mailbox. Eliminates a lot of useless traffic and the likes as the
filtering is done before it's dumped into someone's inbox.


HTH =)



Regards,

Ian

XP trimmed / FU: a.c.v

 

[John Coutts]

Bill,

I don't fully understand what you mean by "I am filtering at the server
level" or how one does that. There have been some posts that say OE has to
download the e-mail before it can take action. Could you explain how you
have your OE filter set up? Thanks!

****************** REPLY SEPARATER *********************
You don't use OE to filter at the server level. Our filtering service was smart
enough to detect the first few as "New Worm", and it quarantines virus and Spam
before it even gets to our server. My own account is over 4000 Swen virus's and
counting (about 30 an hour). I did however have to turn the notification
function off, and the filtering service allows me to delete 1000 quarantined
items at a time.

 

[Marc]

Hi Thore,

When I do as you suggest, I get the following new rule...

"Where the To line does not contain (my email address) and where the CC line
contains people, delete it from server"

But won't this rule delete all mail on which I am a CC recipient? That would
seem to include a lot of valid email, as I am often CC'd on mail to others.

Or am I missing something?

 

[YO]

It works!! it works!!
Thank you !! Thank you!!

Greetings,

since Swen.A first appeared in the wild around September 18th 2003,
many people have asked how to filter the emails Swen wildly sends to
just about everyone who ever posted in any newsgroup. It's a bit
tricky, at first glance it seems impossible, but it can be done.

Here's how.

Swen emails unfortunately differ in From-, To- and Subject-field, but
you will always find your own valid email-address in the
Envelope-to-field of the email's header. OE unfortunately is unable to
filter emails by the Envelope-to-content, but this doesn't matter. If
you read the above carefully you see that:

Every email that arrives in your inbox and does NOT have your valid
email address in the To- or CC-field is almost guaranteed to be a
Swen-mail (exceptions see below).

To filter them out, do the following (tested with OE 6, earlier
versions may need a slightly different process):



*** BEGIN ***



(Thanks to Phil who helped me with using the correct English names as I
use the German version of OE - the following is a quote from his email)

Open the email rules: Tools\Message Rules\Mail

Create a new rule.

In the first window (Select the conditions for your rule) select the
following:
-Where the To line contains people
-Where the CC line contains people

In the second window (Select the Actions for your rule) select the
following:
-Delete it from server

In the third window (Rule Description...)
-Click on "contains people" and enter your email address, then click on
"Add"
-Your email has now been added, select the email address and click on
"Options"
-Select the second radio button "Message does not contain the people
below"
then "OK" to close.

(end quote from Phil)



*** END ***



Presto - you're done! OE will still have to download the _header_ data,
but not the message body with its 150K worm executable. Ergo you have
much less problems.

NOTE THE FOLLOWING:

Mailing lists - at least all lists I know - use a very similar
procedure to send their contents to you, inserting your valid address
in the Envelope-to-field and the basic email address of the list in the
To-field, along with usually adding a list-typical string to the
subject. Obviously this will create false positives with the
above-mentioned email rule that would delete the list messages along
with Swen.
Therefore, if you participate in mailing lists, I suggest you do the
following:



*** BEGIN ***



If you haven't done so until now, create an extra folder for each of
your lists.

Create one email rule for each of your lists with the following:

Subject contains the list-typical string, To-field contains the basic
list email address
Actions to take: Move to the folder created for that list, do not
process any more rules for that mail.

Move all these rules to somewhere ABOVE the rule that deletes
Swen-mails from the server.

(For the details on doing all this, see the description of the
Swen-filtering rule above)



*** END ***



That way, your mailing list messages will be moved to their own folders
while the pesky Swen mails will die while still on your provider's
server.

Hope to have helped...

Tocis (commoner AT carcosa DOT de)
To reply, include HI-AK 523 in the subject or else your mail will be
deleted!

 

[Bill ®]

But won't this rule delete all mail on which I am a CC recipient? That would
seem to include a lot of valid email, as I am often CC'd on mail to others.

I use the filter of if the mail doesn't specifically include my
address in the TO: or CC: fields delete it. It works.

 

[Steve M (remove wax for reply)]

Hi Thore,

When I do as you suggest, I get the following new rule...

"Where the To line does not contain (my email address) and where the CC line
contains people, delete it from server"

But won't this rule delete all mail on which I am a CC recipient? That would
seem to include a lot of valid email, as I am often CC'd on mail to others.

Or am I missing something?

No, you're not. I disagree with the advice you've been given and
would not use this rule. I read a couple of mailing lists and my name
does NOT always appear in the To or Cc header.

Also, most of my friends who send jokes and interesting stuff use Bcc.

 

[Bill ®]

Also, most of my friends who send jokes and interesting stuff use Bcc.

That's where personal preferences make the difference. I don't want to
be on anyone's "bullshit mail list" and therefore certain rules work
for me that may not for you.

 

[Jeffrey A. Setaro]

Hi Thore,

When I do as you suggest, I get the following new rule...

"Where the To line does not contain (my email address) and where the CC line
contains people, delete it from server"

But won't this rule delete all mail on which I am a CC recipient? That would
seem to include a lot of valid email, as I am often CC'd on mail to others.

Or am I missing something?

No you're not missing a thing... Try this instead.

"Where the To or CC line does not contain <your e-mail address> and
Where the message has an attachment Delete it from server"

That should take of the bulk of W32/Swen generated messages.

 

[Thore Schmechtig]

Hi,

When I do as you suggest, I get the following new rule...
"Where the To line does not contain (my email address) and where the CC line
contains people, delete it from server"
But won't this rule delete all mail on which I am a CC recipient? That would
seem to include a lot of valid email, as I am often CC'd on mail to others.
Or am I missing something?

Oops - maybe I missed something
There is an option to set the condition "where To- AND CC-Field
contain...". That's the best one to use

 

[Adam Russell]

No, you're not. I disagree with the advice you've been given and
would not use this rule. I read a couple of mailing lists and my name
does NOT always appear in the To or Cc header.

Also, most of my friends who send jokes and interesting stuff use Bcc.

It's still a good idea for most people and can probably be modified (if you
will give it a bit of thought) for your exception.

 

[Eric CHAPUZOT]

http://www.faqoe.com/

 

[FromTheRafters]

No, you're not. I disagree with the advice you've been given and
would not use this rule. I read a couple of mailing lists and my name
does NOT always appear in the To or Cc header.

Also, most of my friends who send jokes and interesting stuff use Bcc.

Whitelist those senders with earlier rules, by stop processing
any further rules on them.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

NOTE THE FOLLOWING:

Mailing lists - at least all lists I know - use a very similar
procedure to send their contents to you, inserting your valid
address in the Envelope-to-field and the basic email address of
the list in the To-field, along with usually adding a list-typical
string to the subject. Obviously this will create false positives
with the above-mentioned email rule that would delete the list
messages along with Swen.

Adding the criteriom "Where the message size is more than 135 KB" to he
Swen-killing rule should let such things as list posts through. 135 KB
is a bit low for Swen, but I'll leave it to others to adjust upward if
you like.

 

[Randy W]

I pointed that out a couple of days ago and someone ( I don't remember
who) indicated that it doesn't work, which is nonsense as it has
eliminated 100% of Swen from my mailbox. However, I am filtering at
the server level which means I don't have to download them to keep
them from filling up my message queue. Yes, it does work and it
doesn't delete legitimate mail from individuals. Incidently, whe
dropping my filter for a few hours to test I have noticed a sizable
decrease in Swen mail. Only 75 in an 8 hour period.

I remembered seeing Bill's post about the To: field not having
one's real email adddress a few days ago, but of course it was
*after* i'd spent a few evenings setting up a few dozen filters
using keywords found in the From: and Subject: fields of the
offending emails.

Based on his post i then cancelled all my keyword filters and
instead setup one single filter to send any message where the
To: field does not contain my actual email address and that
one single filter has sent 100% of the Swen worm emails
directly to my Trash folder ever since, just like it did for him.
I don't see how this couldn't work, since NONE of the thousand
or so worm emails contain my actual email address. Not one.

Thanks Bill

I run Eudora Light and i have it set to automatically dial up
every hour, retrieve all my mail then delete it from the server
after downloading it, then it closes the connection. Norton catches
and quarantines virtually every infected file then i just go in a few
times a day and delete them all. I think the Pro/paid verion of
Eudora Pro version has the added ability to delete mail directly
from the server without having to download it which would be
better yet, but the Light version doesn't have this capability.
No matter, this is all working for me and my inbox is now never
more than 25% full at any given time. In the beginning it was
being packed to capacity within two hours !

I have found some of the worm files in my attachment directory
so apparently some are getting past Norton which makes me think
Norton has some sort of limit to the number of attachments it can
handle and the rest are getting past it. I just send them to the
Recycle Bin whenever i spot one.

Randy

 

[FromTheRafters]

I remembered seeing Bill's post about the To: field not having
one's real email adddress a few days ago, but of course it was
*after* i'd spent a few evenings setting up a few dozen filters
using keywords found in the From: and Subject: fields of the
offending emails.

Based on his post i then cancelled all my keyword filters and
instead setup one single filter to send any message where the
To: field does not contain my actual email address and that
one single filter has sent 100% of the Swen worm emails
directly to my Trash folder ever since, just like it did for him.
I don't see how this couldn't work, since NONE of the thousand
or so worm emails contain my actual email address. Not one.

It does work, and is a pretty good filter for regular spam
as well, but for some people whos friends' send a group
mailing with blind carbon copies sometimes, those would
be lost. Some people are on mailing lists which could also
be lost. Rules can be set up to avoid these occurrences
too on a case by case basis.

 

[Randy W]

TheRaftersRote:
It does work, and is a pretty good filter for regular spam
as well, but for some people whos friends' send a group
mailing with blind carbon copies sometimes, those would
be lost. Some people are on mailing lists which could also
be lost. Rules can be set up to avoid these occurrences
too on a case by case basis.

So far this hasn't snatched anything other than the Worm-bombs
since setting it up a few days ago but this is good to know because
i am on a few club committees and we have conference calls via
email from time to time. I always roll through the subject lines of
everything in my Trash Folder before permanently emtying it
so now i'll keep a closer eye out for legitimate emails that may
get caught up by the filter. FWIW i'm on several mailing lists and
typically get upwards of a hundred emails a day (Not counting
the few hundred Wormbombs per day i've been getting) and
luckily no legitimate email has been trashed so this method is
working perfectly in my case. It has also caught some spam,
but i only get a few a day anyway and most of them are filted
to my Spam folder. My filters for that folder contain some real
wacky little international characters and catches almost all of it

Thanks for the heads up

Randy