Re: Anyone else seeing a radical increase in Sobig?

From: James C. Slora Jr. (
Date: 08/20/03

  • Next message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
    To: "Chip Mefford" <>, <>
    Date: Wed, 20 Aug 2003 07:22:45 -0400

    Chip Mefford wrote
    > As of ~0930 GMT -5, we started seeing a large
    > group of emails containing Win32/Sobig.F@mm
    > more in the last 2 hours than we've seen in the
    > last 4 months. Comming from different netblocks
    > as well.

    Oh, yes. This is huge. I've gotten hundreds so far. All come through
    low-priority MXs, and they appear to use the same list of addresses to fake
    the "From" field and the recipient.

    About 1/10 of the incoming infected messages are "returned mail"
    notifications from over quota, no such address, etc. Some of them are from
    mail servers that are _STILL_ in this day and age configured to return
    virus-infected mail intact.

    This means that badly configured or inflexible antivirus screeners are
    helping distribute to the virus by returning it to the "From" address faked
    by the virus.

    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:

  • Next message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"