RE: lots of sobig virus emails.

• Previous message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
• Maybe in reply to: wirepair: "lots of sobig virus emails."
• Next in thread: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Reply: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 21 Aug 2003 07:55:12 -0400
To: <Valdis.Kletnieks@vt.edu>, "wirepair" <wirepair@roguemail.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think the most annoying think to come out of this is the way people
have their AV software configured on their mail servers to send a
message back to the spoofed sender who is not even the real culprit, and
then to get even more e-mail from users that claim you are sending them
viruses, that includes some people subscribed to the security focus
mailing lists. Is there really any point anymore to have the AV software
automatically reply to the sender with every virus it detects
considering the software uses the forged from field ? Now those message
bog down the mail servers everywhere

Bruce Martins
Systems Administrator
EXTEND>>MEDIA
190 Liberty Street
Toronto, Ontario
Canada
M6K 3L5
_______________________
e:bmartins@extend.com
t: (416) 535-4222 ext. 2307
f: (416) 535-1201
http://www.extend.com

- -----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
Sent: Wednesday, August 20, 2003 12:30 AM
To: wirepair
Cc: incidents@securityfocus.com

On Tue, 19 Aug 2003 09:44:15 PDT, wirepair <wirepair@roguemail.net>
said:
> because i'm not infected. It also looks like i'm getting a ton from
'security peoples' email addresses.
> sans/securityfocus.com/other people. Maybe someone released the virus
using a list of people from security lists?

Nothing that devious... :)

*YOU* are getting a ton from "security people" because the people you
are getting copies from have security people's addresses in their mail
folders.
Some poor Microsoft-using drudge gets infected, it trolls the folders,
spams using what addresses it finds - and due to "locality of
reference", you'll get mostly security-related addresses because that's
the crowd you hang with.

Remember, if you get a Sobig-F claiming to be from somebody, all that
*really* means is that the *real* problem user has both you and that
somebody in their mail folders someplace...

Meanwhile, over on the dachsund-breeders list, everybody is wondering
why the virus was released with a bunch of dachsund owners as the list,
and the canoe-builders list is getting hammered by addresses from
outdoor-activity lists, and so on....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQE/RLMggU0CXm2DmsMRAi0BAJ9zs5gZ06WjeOCtBMr4CU0J8vk4uwCfaEKG
eoLXc2cOYP3UawowrW4AC/8=
=odBz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

• Previous message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
• Maybe in reply to: wirepair: "lots of sobig virus emails."
• Next in thread: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Reply: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]