What the hell is going on - SOBIG.F

Tim Wunder tim
Mon May 17 11:52:11 PDT 2004 

On Sunday 31 August 2003 1:32 pm, someone claiming to be Bill Campbell wrote:
> On Sun, Aug 31, 2003, Gerry Doris wrote:
> >I have received several emails infected with Sobig.F supposedly from
> >the list as well a pile of notices from various list members that they
> >received infected messages.
>
> Most of the e-mail worms that attack the Microsoft virus, Windows forge the
> headers so they appear to some somebody other than the real sender.
>

AFAICT, it's only forging the From: address. The "Received From" headers seem 
to be unaffected, unless it's changed since it first came out...

I don't suspect you are infected, but I believe someone who uses an
 smtp server connected to your network is (or was). Case in point an e-mail 
sent to the list on 8/22 containing the subject "RE: Thank You" (one of the 
tell-tail subject lines) had the following in the header:
<header quote>
Received: from JOJO (grdsl-94.dsl.utk.edu [160.36.224.95])
        by kumerik.celestial.com (Postfix) with ESMTP id 387D828885
        for <linux-users at linux-sxs.org>; Fri, 22 Aug 2003 20:07:10 -0500 (CDT)
</header quote>

I tried sending a message directly to you at the time, but recieved a failure 
notice:
        Permanent Failure: 
554_Service_unavailable;_[216.148.227.85]_blocked_using_rbl.celestial.net,_reason:_Blocked_for_spamming_from_IP=216.148.227.85
        Delivery last attempted at Sat, 23 Aug 2003 03:13:11 -0000

I was able to determine the source of an infection at work by using the 
Received From header. It allowed me to trace the infection to a specific 
machine, one that, for some reason, had it's anti-virus software turned off 
:-(

<snip>
>
> My guess is that the volume of mail messages from the so-called virus
> scanning software to the forged sender addresses probably is greater than
> the volume of actual worms.
>

I doubt it, but it sure seems that way sometimes :-(

Regards, 
Tim

-- 
RedHat 8.0 Kernel 2.4.20-19.8,  KDE 3.1.3, Xfree86 4.2.1
  3:10pm  up 8 days, 21:07,  2 users,  load average: 0.21, 0.22, 0.15
It's what you learn after you know it all that counts

More information about the Linux-users mailing list