Closed Bug 223472 Opened 22 years ago Closed 22 years ago

Microsoft Service Pack Sven worm emails and bouce messages therefrom not junk filtered

Categories

(MailNews Core :: Filters, defect)

Product:
MailNews Core
Component:
Filters
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 218942

People

(Reporter: hacksoncode, Assigned: sspitzer)

Details

Attachments

(2 files)

Example uncaught Sven worm message
15.13 KB, message/rfc822
Details
Example bounce message generated in response to a Sven message with headers forged from me
1.95 KB, message/rfc822
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031002 Firebird/0.7+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031002 Firebird/0.7+ I get huge numbers of virus messages indicating that a new Microsoft Service Pack needs to be installed. These messages are all essentially identical, and are sent by the so-called "Sven Worm". Additionally, I get enormous numbers of bounce messages from Sven messages, likely due to my having been spoofed as the sender (as far as I can acertain, my machines have never been infected with this worm). I dutifully train every one of these things that arrives, and still the junk filter lets them through. By now (literally hundreds of these later), I would have expected the terms that appear in these messages to be so reviled by the filter that I would start losing real mail, but the worm messages are undeterred. I suspect that this Reproducible: Always Steps to Reproduce: 1. Be targetted by Sven. 2. Train many Sven messages and bounce messages. 3. Await additional Sven messages. Actual Results: Tons of them continue to get through, though quite a few apparently identical ones are also caught. Expected Results: After enough training, Sven messages should be extremely easy to filter. I have to imagine that this might have to do with the internal structure of the worm. For one thing, the messages are all base64 encoded, and consist of sophisticated HTML. I will attach a (text only versions) of the Sven message and one of it's bounces. The potential for dataloss inherent in being swamped by these messages is why I have marked it critical, in spite of the fact that my company firewall strips the active payload. I'm, of course, amenable to reduction in this severity :-)...
*** This bug has been marked as a duplicate of 218942 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: