Re: lots of sobig virus emails.

• Previous message: Bill Carlson: "strange HTTP requests"
• In reply to: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Next in thread: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Reply: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Toh Hong Kuan <hktoh@singnet.com.sg>
Date: Mon, 25 Aug 2003 10:50:08 -0400

On Mon, 25 Aug 2003 22:26:49 +0800, Toh Hong Kuan said:
> Yes, the amount of auto-response mails from AV products and virus mails from
> infected PCs to our service mail account is flooding that mailbox and
> choking our mail servers, that we're even considering changing that email
> address!

Take an hour and look at the headers.

I had captured 4,057 SoBig-F, and analyzing the headers showed only 189
distinct sources. One source was 1015 of them, #2 was 663. The 8 sources over
100 items each accounted for 2,524, and the next 10 over 40 each brought it up
to 3,164. So if I smack some sense into 18 losers, 75% of my problem goes
away.

I'm willing to bet that the *same* machines that are hitting other sites and
causing AV bounces to your site are also sending you direct SoBig-F claiming to
be somebody else - I've yet to see a bounce for a SoBig claiming to be me that
wasn't from one of those 189 sources, and most were from that same "top 8"
list.

What to look for:

1) Examine mail for a header: X-MailScanner: Found to be clean
This is a very likely sign that it's a SoBig (yes, it's also from a AV package, but
if you're seeing it, it's 98% sure it'sSoBig).

2) Find the *first* Received: line - that will be the *bottom* one (they get added
bottom-to-top). It will look like:

Received: from zidane.cc.vt.edu (evil-zidane.cc.vt.edu [10.1.1.13])
        by lyta.cc.vt.edu (iPlanet Messaging Server 5.2 Patch 1 (built Aug 19 2002))
        with ESMTP id <0HK6004F7J0181@lyta.cc.vt.edu> for valdis@ims-ms-daemon
        (ORCPT Valdis.Kletnieks@vt.edu); Mon, 25 Aug 2003 10:31:13 -0400 (EDT)
Received: from LUISA (bdsl.66.12.138.123.gte.net [66.12.138.123])
        by zidane.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR)
        with ESMTP id BVE06857;
Mon, 25 Aug 2003 10:30:59 -0400 (EDT)
Date: Mon, 25 Aug 2003 07:31:56 +0700
From: kondor@cbk.poznan.pl

See that 'from LUISA'? SoBig always uses a one-token hostname. The *real*
hostname and IP address are tacked on by my system so I know to go complain to
the wonderful guys at gte.net.

And yes, 'LUISA' is both in my top-8 list and one of the major sources of things
claiming to be from me - so soon as the guys at gte.net (hopefully) swat it, I'll
get less backscatter as well.. ;)

• application/pgp-signature attachment: stored

• Previous message: Bill Carlson: "strange HTTP requests"
• In reply to: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Next in thread: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Reply: Toh Hong Kuan: "RE: lots of sobig virus emails."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]