Re: How do I stop SPAM from Microsoft?

From: Chuck (cacrollthespam_at_yahoo.com)
Date: 10/30/03 

Date: 30 Oct 2003 15:57:07 -0600

On Thu, 30 Oct 2003 13:17:16 -0800, "Bob Jones"
<anonymous@discussions.microsoft.com> wrote:

>My mailbox is filled daily with messages from Microsoft
>labeled "Latest Network Security Upgrade," "Latest Net
>Critical Patch," "Current Internet Critical Patch," etc.
>
>There is no option to opt out of these messages, and they
>all carry different return addresses, so I can't block
>them.
>
>Is there any way to stop these messages?

You have to report them to the ISPs, who then have to notify their
customers.

Most advice will tell you to filter the sh!t. Or just hit delete.
Neither solution will stop it.

The only way to stop Swen spam is to report the infected computers.
Swen has been known for so long that most anybody who knows anything
about computers is protected against it. The only ones left with
infected computers are the truly clueless. They will never fix their
computers on their own.

I started reporting each Swen email several weeks ago, when I was
getting 75 - 100 / day. This was a fscking nuisance, but I have
gotten none for the past week - all the computers that were hitting me
have either been taken offline or cleaned. You need to report each
infection as soon as you can; each email you're getting is also going
to somebody else who may become infected and make the problem worse.

There is one and only one valid way to identify the reporting address
for the infected computer, which requires that you examine the
headers. Here is an example:

####### Start Example #######

Return-Path: <gabriele.sgarzoni@tiscalinet.it>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
        by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id
h95L6baQ017487
        for <xxxxxxxx@lds.xxxx.net>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
        by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
        for <xxxxxxxx@xxxx.net>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
        id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
postmaster@mail-6.tiscali.it)
Message-ID: <3F79B1480042D178@mail-6.tiscali.it> (added by
postmaster@mail-6.tiscali.it)
FROM: "Security Division" <wsuhigrormafj@ndezew.ms.com>
TO: "Commercial Customer" <customer_dzllfopr@ndezew.ms.com>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0

tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HTML_NO_CHARSET,
              MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
              RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
        version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)

Microsoft Customer

this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH

####### End Example #######

The infected computer, in the example, is adqy (62.11.181.97).

10/6/2003 10:08:03 whois -h whois.ripe.net 62.11.181.97

remarks: | PLEASE CONTACT OUR ABUSE DIVISION (abuse@tiscali.it) |
remarks: | FOR ABUSE and-or SPAM COMPLAINTS. |

Send this complaint, with full headers, to abuse@tiscali.it.

There are any number of online whois lookup tools. I use All-NetTools
( http://www.all-nettools.com/tools1.htm ) and Broadband Reports (
http://www.dslreports.com/whois ).

Also, there are several tools which you can install. I use Sam Spade
( http://www.samspade.org/ssw/ ) and TESP ABouncer (
http://www.tesp.com/abounce/ ). Both contain whois and other tools,
and both help you format and send the complaint.

Any reports you send need to be very objective; I have learned from
others that subjective, whiny complaints do not result in 100%
success. My reports did. You have to be patient, too. Most ISPs
won't fix the problem in a day. Just keep reporting each email, as
you receive it.

Using TESP, I wrote and emailed a report (for this example) as
follows:
To: abuse@tiscali.it
R33437 UBE from your network, containing virus: "Latest Network
Security Pack"

The attached Unsolicited Bulk Email (UBE) "Latest Network Security
Pack", which appears to contain copies of the Swen (Gibe) virus,
appears to originate from your network. Please take appropriate
action.

- - - - - - - - Begin Attached Message - - - - - - - -
Return-Path: <gabriele.sgarzoni@tiscalinet.it>
Received: from a.mx.xxxx.net (eth0.a.mx.xxxx.net [208.201.249.230])
by eth0.b.lds.xxxx.net (8.12.10/8.12.9) with ESMTP id h95L6baQ017487
for <xxxxxxxx@lds.xxxx.net>; Sun, 5 Oct 2003 14:06:37 -0700
Received: from mail-6.tiscali.it (mail-6.tiscali.it [195.130.225.152])
by a.mx.xxxx.net (8.12.10/8.12.7) with ESMTP id h95L6ZF6000997
for <xxxxxxxx@xxxx.net>; Sun, 5 Oct 2003 14:06:35 -0700
Received: from adqy (62.11.181.97) by mail-6.tiscali.it (6.7.019)
        id 3F79B1480042D178; Sun, 5 Oct 2003 23:01:27 +0200
Date: Sun, 5 Oct 2003 23:01:27 +0200 (added by
postmaster@mail-6.tiscali.it)
Message-ID: <3F79B1480042D178@mail-6.tiscali.it(added by
postmaster@mail-6.tiscali.it)
FROM: "Security Division" <wsuhigrormafj@ndezew.ms.com>
TO: "Commercial Customer" <customer_dzllfopr@ndezew.ms.com>
SUBJECT: Latest Network Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vjwtmhybcefqo"
X-Spam-Status: Yes, hits=5.9 required=5.0
tests=ALL_CAPS_HEADER,MICROSOFT_EXECUTABLE,MIME_HTML_NO_CHARSET,
      MSG_ID_ADDED_BY_MTA,RCVD_IN_MULTIHOP_DSBL,
      RCVD_IN_UNCONFIRMED_DSBL,SPAM_PHRASE_00_01
version=2.43
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)

Microsoft Customer

this is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities.
This update includes the functionality of all previously released
patches.
BLAH BLAH BLAH

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

Relevant Pages

  • Re: SPAM from Microsoft
    ... >mailing Microsoft without giving a product number. ... >but I can't understand why this would trigger SPAM e-mails ... The only way to stop Swen spam is to report the infected computers. ...
    (microsoft.public.security)
  • Re: Patch.exe
    ... The only way to stop Swen spam is to report the infected computers. ... I started reporting each Swen email several weeks ago, ... have either been taken offline or cleaned. ...
    (microsoft.public.security)
  • Re: Urgent! Receiving a million messages from Microsoft!
    ... infected emails with no false positives. ... You might also want to report the emails to the originating ... IP-adress-owners so that they can help identify the infected computers. ... Inbetween that I just delete them by means of my filter. ...
    (microsoft.public.win2000.security)