Chip Mefford wrote > As of ~0930 GMT -5, we started seeing a large > group of emails containing Win32/Sobig.F@mm > more in the last 2 hours than we've seen in the > last 4 months. Comming from different netblocks > as well. Oh, yes. This is huge. I've gotten hundreds so far. All come through low-priority MXs, and they appear to use the same list of addresses to fake the "From" field and the recipient. About 1/10 of the incoming infected messages are "returned mail" notifications from over quota, no such address, etc. Some of them are from mail servers that are _STILL_ in this day and age configured to return virus-infected mail intact. This means that badly configured or inflexible antivirus screeners are helping distribute to the virus by returning it to the "From" address faked by the virus. --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 20 2003 - 16:58:54 PDT