Re: lots of sobig virus emails.

From: Valdis.Kletnieksat_private
Date: Mon Aug 25 2003 - 07:50:08 PDT

Next message: Joe Luna: "RE: Increase in scans on TCP port 1 (tcpmux)?"

Previous message: Bill Carlson: "strange HTTP requests"
In reply to: Toh Hong Kuan: "RE: lots of sobig virus emails."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 25 Aug 2003 22:26:49 +0800, Toh Hong Kuan said:
> Yes, the amount of auto-response mails from AV products and virus mails from
> infected PCs to our service mail account is flooding that mailbox and
> choking our mail servers, that we're even considering changing that email
> address!

Take an hour and look at the headers.

I had captured 4,057 SoBig-F, and analyzing the headers showed only 189
distinct sources.  One source was 1015 of them, #2 was 663.  The 8 sources over
100 items each accounted for 2,524, and the next 10 over 40 each brought it up
to 3,164.  So if I smack some sense into 18 losers,  75% of my problem goes
away.

I'm willing to bet that the *same* machines that are hitting other sites and
causing AV bounces to your site are also sending you direct SoBig-F claiming to
be somebody else - I've yet to see a bounce for a SoBig claiming to be me that
wasn't from one of those 189 sources, and most were from that same "top 8"
list.

What to look for:

1) Examine mail for a header:  X-MailScanner: Found to be clean
This is a very likely sign that it's a SoBig (yes, it's also from a AV package, but
if you're seeing it, it's 98% sure it'sSoBig).

2) Find the *first* Received: line - that will be the *bottom* one (they get added
bottom-to-top).  It will look like:

Received: from zidane.cc.vt.edu (evil-zidane.cc.vt.edu [10.1.1.13])
	by lyta.cc.vt.edu (iPlanet Messaging Server 5.2 Patch 1 (built Aug 19 2002))
	with ESMTP id <0HK6004F7J0181at_private> for valdis@ims-ms-daemon
	(ORCPT Valdis.Kletnieksat_private); Mon, 25 Aug 2003 10:31:13 -0400 (EDT)
Received: from LUISA (bdsl.66.12.138.123.gte.net [66.12.138.123])
	by zidane.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR)
	with ESMTP id BVE06857; 
Mon, 25 Aug 2003 10:30:59 -0400 (EDT)
Date: Mon, 25 Aug 2003 07:31:56 +0700
From: kondorat_private

See that 'from LUISA'?  SoBig always uses a one-token hostname.   The *real*
hostname and IP address are tacked on by my system so I know to go complain to
the wonderful guys at gte.net.

And yes, 'LUISA' is both in my top-8 list and one of the major sources of things
claiming to be from me - so soon as the guys at gte.net (hopefully) swat it, I'll
get less backscatter as well.. ;)

application/pgp-signature attachment: stored

Next message: Joe Luna: "RE: Increase in scans on TCP port 1 (tcpmux)?"
Previous message: Bill Carlson: "strange HTTP requests"
In reply to: Toh Hong Kuan: "RE: lots of sobig virus emails."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:28:22 PDT