Anyone seeing hijacked email addresses with this Sobig-F worm? I did
some research and I know I didn't send anything to Investec Bank of
Johannesburg,ZA. On top of that, I definitely did not send a worm.
Thoughts?
Jack
Anyone seeing hijacked email addresses with this Sobig-F worm? I did
some research and I know I didn't send anything to Investec Bank of
Johannesburg,ZA. On top of that, I definitely did not send a worm.
same here... seems the worm is not only using the adress book for targets,
but also as sources..
Pascal
Is this surprising to anyone? That's the way the past few Lookout Virus
Express viruses have worked. The funny thing is, on this account, I've
gotten zero copies that I've noticed...just lots of mail from various
lists talking about it.
On my work account, I've gotten several this morning and a bunch of
bounces.
Anyone seeing hijacked email addresses with this Sobig-F worm? I did
some research and I know I didn't send anything to Investec Bank of
Johannesburg,ZA. On top of that, I definitely did not send a worm.
Yep, my email is definitely being used. 
<>
Nathan Stratton
nathan at robotics.net
http://www.robotics.net
Hello All , I have just seen several bounces from various places
with my addy being used as well . JimL
Yup, seeing same. Spoofing to quite a few of our addresses and sending worms to everyone..
-hc
For our Postfix viewers out there...
header_checks:
/^X-MailScanner: Found to be clean$/ REJECT You're infected, but you probably won't see this message anyway.
body_checks:
/X-MailScanner: Found to be clean/ REJECT Please, stop sending me bounces/infection notices for spoofed virus spam.
The last rule is kinda evil as it will block all mail with that line in
the body (both incoming and outgoing), so know what you're doing before
you blindly cut and paste.
Please people, of all the great feedback these joe jobbed
addresses are receiving, from the anti-virus software...
it really wouldn't hurt to include the -=IP=- (and possibly headers)
of the system that contacted your server.....
Rather than simply complain, it would allow us to track
down, and triangulate the -=real=- perp, an infected
M$ machine or two (million).
Thanks in Advance for useful data !
:D
JMHO.
Omachonu Ogali wrote:
Today at 10:40 (-0500), Richard Irving wrote:
Date: Wed, 20 Aug 2003 10:40:25 -0500
From: Richard Irving <rirving@onecall.net>
To: nanog@merit.edu
Subject: Re: Hijacked emailPlease people, of all the great feedback these joe jobbed
addresses are receiving, from the anti-virus software...it really wouldn't hurt to include the -=IP=- (and possibly headers)
of the system that contacted your server.....Rather than simply complain, it would allow us to track
down, and triangulate the -=real=- perp, an infected
M$ machine or two (million).
Okie doke.... is Netscalibur in the house? I might assume so
based on the "nanog-ish" return address on the received e-mail
from [195.157.87.253]. This IP is sourcing Sobig.F to me, and
*as* me.
The received mail:
From nanog@ehlke.net Wed Aug 20 10:03:00 2003
Received: from KYAN ([195.157.87.253])
by ack.Berkeley.EDU (8.11.3/8.11.3) with ESMTP id h7K9k2n04029
for <cchin@ack.Berkeley.EDU>; Wed, 20 Aug 2003 02:46:02 -0700 (PDT)
Message-Id: <200308200946.h7K9k2n04029@ack.Berkeley.EDU>
Today at 18:38 (+0100), Dan Houghton wrote:
Date: Wed, 20 Aug 2003 18:38:43 +0100
From: Dan Houghton <dan@houghton.org.uk>
To: Christopher Chin <cchin@ack.Berkeley.EDU>
Cc: nanog@merit.edu
Subject: Re: Hey netscalibur! (was: Re: Hijacked email)[. . .]
IP in question is in use by a Netscalibur UK customer. The RIPE whois
record for the IP provides the abuse@ contact details (which is staffed and
dealt with correctly) but also noticed you emailed onto
noc@netscalibur.co.uk as well.I'll make sure that the NOC staff deal with it and get these stopped.
Thanks for the quick response, Dan. It's great to
hear that you have alert folks on the other end of both abuse@
and noc@ roles.
As with most organizations, we have a fair amount of overlap
between queries that arrive at abuse@, security@, and noc@,
but we tend to handle operational issues via noc, and abuse@ is
mostly for questionable behavior (intentional or otherwise) by
our local users. With that in mind, I figured noc@netscalibur
would be the more appropriate address. Please do let me know
(offline is OK too) if that is not your preference.
Thanks,
- Christopher
Okie doke.... is Netscalibur in the house? I might assume so
based on the "nanog-ish" return address on the received e-mail
from [195.157.87.253]. This IP is sourcing Sobig.F to me, and
*as* me.
The received mail:
From nanog@ehlke.net Wed Aug 20 10:03:00 2003
Received: from KYAN ([195.157.87.253])
I got six various examples from this exact machine, until I just
nullrouted Netscalibur's /16. They have been the only virus messages
I've seen so far.
matto
--mghali@snark.net------------------------------------------<darwin><
Flowers on the razor wire/I know you're here/We are few/And far
between/I was thinking about her skin/Love is a many splintered
thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
Of course, this will also block legitimate messages that have been
scanned by whatever type of virus scanner adds that header.
Wietse suggests the following body check; it will work better with
Postfix 2.0:
http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml
This is working well for us.
You could also probably look for the following three lines in a row:
(I'll indent a space so they don't set off people who are blocking based
on the above rules):
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
We're seeing a LOT of these today.... probably in the thousands per
second.
Eep - sorry for the annoying self-followup, but that should read
"thousands per minute" (and that during peak hours) -- it's bad, but not
THAT bad.