[Dshield] Swen related 'qmail' question

Guy Barnum GuyBarnum at Armscole.com
Tue Sep 30 19:19:56 GMT 2003


Question regarding a flood of fake failed emails since Swen has been breeding in the wild:  I have recently been flooded with the fake microsoft support swen-attached emails (getting this one under control) but now I'm flooded with fake failed emails, some of which (%25 or less?) claim to be an undeliverable qmail message.  You can tell the messages that don't mention qmail are still from the same general source, they all look the same with 3 or 4 lines in the subject regarding a failed email message with the same text in the email bolded or not bolded in all of them.

I know this has been reported as one of the emails sent by the swen virus strain but ALL of these messages piling up on my system have no attachments and are not html emails with any macros or malicious code.

My system in question passes the latest virus scans per norton corporate and all of the to and from addresses in these messages are fake so they aren't being pulled from my address book.  So where are they coming from and how-why are they getting delivered to my address?  Is this just a symptom of infected machines out there on the net which my email address has ended up on somehow and is being flooded until they clean their system?

Also with no infected or 'bad' file attachments and with the faked to & from info how can you block these emails?

I'm looking into the email headers of these msgs and even though the fake from address doesn't match the sending email host can I assume they were sent from a real email server?  If so then they could be informed of infected machines on their network to clean up and stop flooding me right?

Any advice or explanations of how this all works is greatly appreciated, or pointing me to where this has already been covered of course.  I would be happy to post up a header or two from these emails, if you want to see one just ask on or off list.

Guy




More information about the list mailing list