"David Stinson" wrote in message
...
wrote:

Netscape is not going to filter out the stuff on the server. That
quickly fills up and jams everything.

I've got my mail reader set to download mail every 2 minutes, then the
filters take over. That keeps the server clean. Admittedly, if I
didn't
have DSL, it wouldn't work. No dialup could possibly keep up with the
mess.
The ISPs are going to have to do something soon; if you haven't noticed,
a great many regular users are, for all practical purposes, offline.
73 Dave AB5S

I don't think Earthlink seems to care. You end up changing your e-mail
address while they continue to lie about how it is your responsibility to
overcome their software limitations. For them 10 meg is a joke and they
seem to care less if all their mailboxes are always at 10 meg.

"David Stinson" wrote in message
...
wrote:

Netscape is not going to filter out the stuff on the server. That
quickly fills up and jams everything.

I've got my mail reader set to download mail every 2 minutes, then the
filters take over. That keeps the server clean. Admittedly, if I
didn't
have DSL, it wouldn't work. No dialup could possibly keep up with the
mess.
The ISPs are going to have to do something soon; if you haven't noticed,
a great many regular users are, for all practical purposes, offline.
73 Dave AB5S

I don't think Earthlink seems to care. You end up changing your e-mail
address while they continue to lie about how it is your responsibility to
overcome their software limitations. For them 10 meg is a joke and they
seem to care less if all their mailboxes are always at 10 meg.

wrote:

Netscape is not going to filter out the stuff on the server. That
quickly fills up and jams everything.

I've got my mail reader set to download mail every 2 minutes, then the
filters take over. That keeps the server clean. Admittedly, if I
didn't
have DSL, it wouldn't work. No dialup could possibly keep up with the
mess.
The ISPs are going to have to do something soon; if you haven't noticed,
a great many regular users are, for all practical purposes, offline.
73 Dave AB5S

"David Stinson" wrote in message
...
wrote:

I just changed my e-mail address. Dave, what filter are you using?
Earthlink does not allow that kind of filtering, as far as I can tell.

I'm using the filters in my Netscape mail reader.
No way I'm changing my email address- too many years,
accounts and friends invested in this one.
73 Dave S.

Netscape is not going to filter out the stuff on the server. That
quickly fills up and jams everything.

wrote:

I just changed my e-mail address. Dave, what filter are you using?
Earthlink does not allow that kind of filtering, as far as I can tell.

I'm using the filters in my Netscape mail reader.
No way I'm changing my email address- too many years,
accounts and friends invested in this one.
73 Dave S.

"David Stinson" wrote in message
...
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S


I started to kill the beast using filters, but there always seemed to be a
couple of new ones needed for each new onslaught.

I found that it was much less frustrating to use my Norton Antivirus which
has an email option that automatically sends anything containing a virus in
its definitions file (which was automatically updated to include swen)
directly to the Deleted Items folder without human intervention. Then I
check that folder when convenient before deleting everything with a click.
So far it's worked 100%.

Marty K1FHR

In article ,
David Stinson wrote:
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

*IF* you can filter on message _body_ content, the following couple of
rules catch practically *every* email-carried virus:

rule 1: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'TVq'.
(this will catch *any* base64-encoded MS executable, so it could
be a problem if people _legitimately_ send you .EXE files as
attachments.)
rule 2: the character string "iframe", with the string "cid:" occuring
'somewhat' later. EVERY occurance of this form of exploit attempt
has had the 'iframe', and 'cid:' on the same line, but they don't
_have_ to be. (this one even catches the stupid 'bounce' messages
that result from the virus having forged _your_ address as the
sender, but where the 'executable content' [that woould trigger
rule 1] has been stripped out by the recipient's virus-filter
software.

I also use a 3rd rule, specifically targetted at the fake "MS security update"
emails -- it's similar to rule 1:

rule 3: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'R0l'.
(that's a capital R, the digit -zero-, and a lower-case L)
This one may be too agressive for many people. it'll trigger on
*any* .GIF file attachment.


The *ideal* tool for doing this kind of filtering is a utility known as
'procmail', installed *on* the mail-server. It processes mail _as_it_arrives_,
*before* delivery to your mailbox. Using the above rules, with a 'throw the
message away' action when triggered, your inbox doesn't fill with clutter,
nor require 'frequent' draining.

I have the luxury of running my own mailserver (on a Unix box), _with_ procmail
installed. It's dumped over *three*hundred*megabytes* of these mails within
the last 20 hours. That's 2000+ messages. _Six_ messages, that had had the
'executable content' removed, managed to get through to my inbox.

"David Stinson" wrote in message
...
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

I just changed my e-mail address. Dave, what filter are you using?
Earthlink does not allow that kind of filtering, as far as I can tell.

In article ,
David Stinson wrote:
I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S

*IF* you can filter on message _body_ content, the following couple of
rules catch practically *every* email-carried virus:

rule 1: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'TVq'.
(this will catch *any* base64-encoded MS executable, so it could
be a problem if people _legitimately_ send you .EXE files as
attachments.)
rule 2: the character string "iframe", with the string "cid:" occuring
'somewhat' later. EVERY occurance of this form of exploit attempt
has had the 'iframe', and 'cid:' on the same line, but they don't
_have_ to be. (this one even catches the stupid 'bounce' messages
that result from the virus having forged _your_ address as the
sender, but where the 'executable content' [that woould trigger
rule 1] has been stripped out by the recipient's virus-filter
software.

I also use a 3rd rule, specifically targetted at the fake "MS security update"
emails -- it's similar to rule 1:

rule 3: a blank line (defined as -zero- or more spaces and/or tabs only)
followed by a line that begins with the three characters 'R0l'.
(that's a capital R, the digit -zero-, and a lower-case L)
This one may be too agressive for many people. it'll trigger on
*any* .GIF file attachment.


The *ideal* tool for doing this kind of filtering is a utility known as
'procmail', installed *on* the mail-server. It processes mail _as_it_arrives_,
*before* delivery to your mailbox. Using the above rules, with a 'throw the
message away' action when triggered, your inbox doesn't fill with clutter,
nor require 'frequent' draining.

I have the luxury of running my own mailserver (on a Unix box), _with_ procmail
installed. It's dumped over *three*hundred*megabytes* of these mails within
the last 20 hours. That's 2000+ messages. _Six_ messages, that had had the
'executable content' removed, managed to get through to my inbox.

David Stinson wrote:

I'm having good success with filtering the SWEN worm garbage
using these filter terms (*letter case and phrases count*):

Filtering for SUBJECT:
Pack, Net Security, Upgrade, Update, Internet, Returned Mail,
User unknown, Returned to Mailer, Critical, failure,
Letter, Advice, Announcement, Message, Latest, Bug, Error,
Notice, Network, Security, Undelivered Mail, Status Notification,
Undeliverable.

Filtering for SENDER:
Microsoft, MS, Internet, network, Net Email, Administrator, Customer,
webservice, Message, Mail Delivery, webbot

So far, it's nailing about 95% of the stuff.
Be sure to check trash before deleting it, since
I was catching one "good" user when I included "ms"
uncapitalized by mistake.

Good luck weathering the storm,
Dave Stinson AB5S


Now THAT is an example of a GREAT post! THANK YOU!!!
I just set up the filters using your info and it works great!