Re: Earthlink and Swen
On Fri, Dec 05, 2003 at 04:52:27PM -0500, Paul Morgan wrote:
> On Thu, 04 Dec 2003 22:56:59 -0800, Ross Boylan wrote:
>
> > On Thu, Dec 04, 2003 at 03:08:23PM -0500, Paul Morgan wrote:
> > ...
> >> I have all services locked down to localhost; my only connections to
> >> the outside world are mail, news via nntpcached, web via squid... I run
> >> Apache but it too is locked down to localhost. My mail is run through my
> >> ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd
> >> be getting like 10 Svens per day). I do see, from time to time, Apache
> >> refusing connections attempts which are generally attacks by Windoze worms.
> >
> > I had a long talk with earthlink a month or two ago in which they told
> > me they were not filtering out swen (and they certainly weren't; I got
> > a ton). Soon after that, I did see some swen-like stuff in their spam
> > filter for my account (but I also saw plenty still coming at me).
> >
> > What's your basis for saying they are filtering out swen, rather than
> > that you're just getting less swen?
>
> I have no idea why you are attacking my veracity. My statement is fact.
Well, try reading a little harder. And generally, if someone asks you
"why is something true?" responding "because it's a fact" doesn't add
much.
First, I'm not attacking your veracity, I'm asking what the basis is
for your statements. Yes, I do find them a little hard to believe.
Second, the reason I'm surprised is based on my own experience with
earthlink, including their explicit statements that they weren't
blocking Swen.
What the mail you attached below is supposed to demonstrate, I don't
know. You don't provide any context with which to understand it.
This is mail you sent? received? both?
Perhaps the statements about Earthlink Virus blocking are meant as
proof of something, but considering how much forged stuff is floating
around I don't think it's very strong proof. Why would some foreign
system be informing you about earthlink's filtering arrangements? The
mail is obviously filled with forged headers since the FROM doesn't
match the return path and the TO doesn't match you (assuming the mail
was to you).
My idea of a convincing demonstration that earthlink is doing
something useful would be that you look at what's caught in
earthlink's filters, and see x swen's/day.
My aggravation level with earthlink just went up a notch, as I
attempted to file a problem report with them and again encountered
their usual "go away" level of technical support (I filed something
via their inadequate web form, since they've stopped listening to
support@earthlink.net. They sent me back a reply that didn't address
my problem, saying to write back if the problem wasn't solved. I
wrote back. They sent me a reply saying they had lost the original
problem report, so couldn't handle my response!). I wish I knew of a
decent ISP.
>
> >From - Fri Dec 5 15:57:48 2003
> X-UIDL: 1asa4W2Al3NZFop0
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 08000000
> Status: U
> Return-Path: <transp@bancorp.ru>
> Received: from mail.telebit.ru ([217.107.81.59])
> by coot (EarthLink SMTP Server) with ESMTP id 1asa4W2Al3NZFop0
> Thu, 4 Dec 2003 23:08:41 -0800 (PST)
> Received: from [81.25.172.123] (HELO qivz)
> by mail.telebit.ru (CommuniGate Pro SMTP 4.1.6)
> with SMTP id 3349026; Fri, 05 Dec 2003 10:07:59 +0300
> FROM: "Email System" <webrobot@microsoft.com>
> TO: "Mail Receiver" <client@yourserver.com>
> SUBJECT: Failure Letter
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="tkvyqd"
> Date: Fri, 05 Dec 2003 10:08:00 +0300
> Message-ID: <auto-000003349026@mail.telebit.ru>
> X-ELNK-AV: 1
>
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
> <HTML>You currently have EarthLink Virus Blocker powered by Symantec enabled.<br>The following attachments were infected and have been repaired:<br><br>No attachments are in this category.<br>
> <br>The following infected attachments were deleted:<br><br>1. fdbq.exe: W32.Swen.A@mm<br>
> <br>------------ Original message text follows ------------<br><br>
>
> <HEAD></HEAD>
> <BODY>
> <iframe src=3D"cid:bbhhysgma" height=3D0 width=3D0></iframe>
> <BR><BR>Hi.
> <BR>This is the qmail program<BR>
> <BR><BR><BR>Undeliverable to <B>bwjkue@microsoft.com</B>
> </BODY></HTML>
>
> Content-Type: text/plain;
> name="DELETED0.TXT"
> Content-Transfer-Encoding: base64
> Content-Id: <bbhhysgma>
>
> ZmlsZSBhdHRhY2htZW50OiBmZGJxLmV4ZQ0KDQpUaGUgZmlsZSBhdHRhY2hlZCB0byB0aGlz
> IGVtYWlsIHdhcyByZW1vdmVkIGJlY2F1c2UgaXQgaXMgaW5mZWN0ZWQgd2l0aCB0aGUgVzMy
> LlN3ZW4uQUBtbSB2aXJ1cy4NCg==
>
Reply to: