('binary' encoding is not supported, stored as-is) In-Reply-To: <web-16317232at_private> Sobig.F spoofs the "From" and return-path header address when it sends itself out, using addresses it found on the infected machine. This can lead to infected emails that appearing to come "from" a user who isn't infected. If any of these emails bounce, the owner of the spoofed "from" address will receive the bounce messages. Basically when Sobig infects a system, it scans various files (.dbx, .eml, .hlp, .htm, .html, .mht, .wab, .txt in the case of Sobig.F) and builds a list of all the email addresses it can find. It then sends emails to the addresses, but for each address it sends to, it picks a random address from the list to be the unwitting "sender" of the worm. Rarely, if ever, will the From address indicate the real sender. Every Sobig variant I've seen will use the infected machine's name in the HELO/EHLO string it sends to the SMTP server, and this is usually shown in the Received: headers. If you examine the headers, it's easy to tell if they're all coming from one sender, or several. KJP ------- >heh anyone else seeing this or am i being targeted. Getting a lot of bounce backs saying i'm sending off virii which is impossible >because i'm not infected. It also looks like i'm getting a ton from 'security peoples' email addresses. >sans/securityfocus.com/other people. Maybe someone released the virus using a list of people from security lists? --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 20 2003 - 16:36:00 PDT