RE: Sobig.F style email with no attachments

From: Bojan Zdrnja (Bojan.Zdrnjaat_private)
Date: Sat Aug 23 2003 - 20:25:47 PDT

Next message: Kevin Patz: "RE: Increase in scans on TCP port 1 (tcpmux)?"

Previous message: Dowling, Gabrielle: "RE: Sobig.F style email with no attachments"
In reply to: Rich Puhek: "Sobig.F style email with no attachments"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, a lot of people got these.

At the beginning I thought it's misconfigured anti virus servers that are
letting this through.

But later it showed that in some number of cases, Sobig.F will simply send
that e-mail message, without the attachment. 

Regards,

Bojan Zdrnja

> -----Original Message-----
> From: Rich Puhek [mailto:rpuhekat_private] 
> Sent: Friday, 22 August 2003 3:20 a.m.
> To: incidentsat_private
> Subject: Sobig.F style email with no attachments
> 
> 
> I've been seeing a handful of emails that look a lot like 
> Sobig.F (same 
> or similar subjects, same body), but do not contain the attachment.
> 
> Does anyone know what's going on? I'm thinking that either:
> 
> 1) Someone is using similar messages to probe email accounts
> 
> 2) A new version of Sobig is out (perhaps probing accounts 
> first, then 
> sending the payload later?)
> 
> 3) Something is broken with Sobig.F, causing it to fail to 
> attach from 
> time to time.
> 
> I have several copies available if anyone is interested. I haven't 
> dissected the headers, etc. to look for similarities or 
> differences with 
> Sobig.F messages.
> 
> --Rich
> 
> _________________________________________________________
> 
> Rich Puhek
> ETN Systems Inc.
> 2125 1st Ave East
> Hibbing MN 55746
> 
> tel:   218.262.1130
> email: rpuhekat_private
> _________________________________________________________
> 
> 
> --------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Federal, September 
> 29-30 (Training), 
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
> technical IT security event.  Modeled after the famous Black 
> Hat event in 
> Las Vegas! 6 tracks, 12 training sessions, top speakers and 
> sponsors.  
> Symantec is the Diamond sponsor.  Early-bird registration 
> ends September 6.Visit us: www.blackhat.com
> --------------------------------------------------------------
> --------------
> 


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Kevin Patz: "RE: Increase in scans on TCP port 1 (tcpmux)?"
Previous message: Dowling, Gabrielle: "RE: Sobig.F style email with no attachments"
In reply to: Rich Puhek: "Sobig.F style email with no attachments"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:19:19 PDT