Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Thoughts? Jack -----Original Message----- From: jlouw@investec.co.za [mailto:jlouw@investec.co.za] Sent: Wednesday, August 20, 2003 4:11 AM To: Parks, Jack W Cc: VMeetoo@investec.co.mu Subject: MailMarshal has detected a Virus in your message Investec content scanning has stopped the following message: Message: BB002e9963.00000001.mml From: Jack.W.Parks@alltel.com To: VMeetoo@investec.co.mu Subject: Thank you! Because it believes the message contains a virus. The virus scanning software used was: Sophos AntiVirus (SAVI2 Interface) Virus name: W32/Sobig-F Please clean the file and resend it. Rule: Inbound Messages : Block Virus
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm.
same here... seems the worm is not only using the adress book for targets, but also as sources.. Pascal
On Wed, 20 Aug 2003, Pascal Gloor wrote:
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm.
same here... seems the worm is not only using the adress book for targets, but also as sources..
Is this surprising to anyone? That's the way the past few Lookout Virus Express viruses have worked. The funny thing is, on this account, I've gotten zero copies that I've noticed...just lots of mail from various lists talking about it. On my work account, I've gotten several this morning and a bunch of bounces. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
For our Postfix viewers out there... header_checks: /^X-MailScanner: Found to be clean$/ REJECT You're infected, but you probably won't see this message anyway. body_checks: /X-MailScanner: Found to be clean/ REJECT Please, stop sending me bounces/infection notices for spoofed virus spam. The last rule is kinda evil as it will block all mail with that line in the body (both incoming and outgoing), so know what you're doing before you blindly cut and paste.
Please people, of all the great feedback these joe jobbed addresses are receiving, from the anti-virus software... it really wouldn't hurt to include the -=IP=- (and possibly headers) of the system that contacted your server..... Rather than simply complain, it would allow us to track down, and triangulate the -=real=- perp, an infected M$ machine or two (million). Thanks in Advance for useful data ! :D JMHO. Omachonu Ogali wrote:
For our Postfix viewers out there...
header_checks: /^X-MailScanner: Found to be clean$/ REJECT You're infected, but you probably won't see this message anyway.
body_checks: /X-MailScanner: Found to be clean/ REJECT Please, stop sending me bounces/infection notices for spoofed virus spam.
The last rule is kinda evil as it will block all mail with that line in the body (both incoming and outgoing), so know what you're doing before you blindly cut and paste.
Today at 10:40 (-0500), Richard Irving wrote:
Date: Wed, 20 Aug 2003 10:40:25 -0500 From: Richard Irving <rirving@onecall.net> To: nanog@merit.edu Subject: Re: Hijacked email
Please people, of all the great feedback these joe jobbed addresses are receiving, from the anti-virus software...
it really wouldn't hurt to include the -=IP=- (and possibly headers) of the system that contacted your server.....
Rather than simply complain, it would allow us to track down, and triangulate the -=real=- perp, an infected M$ machine or two (million).
Okie doke.... is Netscalibur in the house? I might assume so based on the "nanog-ish" return address on the received e-mail from [195.157.87.253]. This IP is sourcing Sobig.F to me, and *as* me. The received mail: From nanog@ehlke.net Wed Aug 20 10:03:00 2003 Received: from KYAN ([195.157.87.253]) by ack.Berkeley.EDU (8.11.3/8.11.3) with ESMTP id h7K9k2n04029 for <cchin@ack.Berkeley.EDU>; Wed, 20 Aug 2003 02:46:02 -0700 (PDT) Message-Id: <200308200946.h7K9k2n04029@ack.Berkeley.EDU> From: <nanog@ehlke.net> To: <cchin@ack.Berkeley.EDU> Subject: Re: Details Date: Wed, 20 Aug 2003 10:46:45 +0100 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_00623C6D" Content-Length: 100007 See the attached file for details [ Part 2, Application/OCTET-STREAM (Name: "details.pif") 100KB. ] And the results of the joe-job: The original message was received at Wed, 20 Aug 2003 03:42:13 -0700 (PDT) from [195.157.87.253] ----- The following addresses had permanent fatal errors ----- <lyris@sega.com> (reason: 550 <lyris@sega.com>... No such mailbox) ----- Transcript of session follows ----- ... while talking to mail.sega.com.:
RCPT To:<lyris@sega.com> <<< 550 <lyris@sega.com>... No such mailbox 550 5.1.1 <lyris@sega.com>... User unknown
[ Part 2: "Delivery Status" ] Reporting-MTA: dns; postal.segasoft.com Received-From-MTA: DNS; [195.157.87.253] Arrival-Date: Wed, 20 Aug 2003 03:42:13 -0700 (PDT) Final-Recipient: RFC822; lyris@sega.com Action: failed Status: 5.1.1 Remote-MTA: DNS; mail.sega.com Diagnostic-Code: SMTP; 550 <lyris@sega.com>... No such mailbox Last-Attempt-Date: Wed, 20 Aug 2003 03:42:19 -0700 (PDT) [ Part 3: "Included Message" ] Return-Path: <cchin@ack.Berkeley.EDU> Received: from KYAN ([195.157.87.253]) by postal.segasoft.com (8.12.9/8.11.0) with ESMTP id h7KAgCbV004367 for <lyris@sega.com>; Wed, 20 Aug 2003 03:42:13 -0700 (PDT) Message-Id: <200308201042.h7KAgCbV004367@postal.segasoft.com> From: <cchin@ack.Berkeley.EDU> To: <lyris@sega.com> Subject: Re: Details Date: Wed, 20 Aug 2003 11:42:56 +0100 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_0095ABA4" Please see the attached file for details. [ Part 3.2, Application/OCTET-STREAM (Name: "thank_you.pif") 101KB. ] [ Unable to print this part. ]
On Wed, 20 Aug 2003, Christopher Chin wrote: Okie doke.... is Netscalibur in the house? I might assume so based on the "nanog-ish" return address on the received e-mail from [195.157.87.253]. This IP is sourcing Sobig.F to me, and *as* me. The received mail: From nanog@ehlke.net Wed Aug 20 10:03:00 2003 Received: from KYAN ([195.157.87.253]) I got six various examples from this exact machine, until I just nullrouted Netscalibur's /16. They have been the only virus messages I've seen so far. matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
On Wed, Aug 20, 2003 at 11:28:27AM -0400, Omachonu Ogali wrote:
For our Postfix viewers out there...
header_checks: /^X-MailScanner: Found to be clean$/ REJECT You're infected, but you probably won't see this message anyway.
Of course, this will also block legitimate messages that have been scanned by whatever type of virus scanner adds that header. Wietse suggests the following body check; it will work better with Postfix 2.0: http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml This is working well for us. You could also probably look for the following three lines in a row: (I'll indent a space so they don't set off people who are blocking based on the above rules): X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 We're seeing a LOT of these today.... probably in the thousands per second. -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
On Wed, Aug 20, 2003 at 06:13:58PM -0700, Will Yardley wrote:
We're seeing a LOT of these today.... probably in the thousands per second.
Eep - sorry for the annoying self-followup, but that should read "thousands per minute" (and that during peak hours) -- it's bad, but not THAT bad. -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
On Wed, 20 Aug 2003 Jack.W.Parks@alltel.com wrote:
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm.
Yep, my email is definitely being used. :(
<> Nathan Stratton nathan at robotics.net http://www.robotics.net
Hello All , I have just seen several bounces from various places with my addy being used as well . JimL On Wed, 20 Aug 2003, Nathan A. Stratton wrote:
On Wed, 20 Aug 2003 Jack.W.Parks@alltel.com wrote:
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Yep, my email is definitely being used. :( -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP | +------------------------------------------------------------------+
Yup, seeing same. Spoofing to quite a few of our addresses and sending worms to everyone.. -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: haesu@towardex.com Cell: (978) 394-2867 On Wed, Aug 20, 2003 at 07:36:23AM -0500, Jack.W.Parks@alltel.com wrote:
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm.
Thoughts?
Jack
-----Original Message----- From: jlouw@investec.co.za [mailto:jlouw@investec.co.za] Sent: Wednesday, August 20, 2003 4:11 AM To: Parks, Jack W Cc: VMeetoo@investec.co.mu Subject: MailMarshal has detected a Virus in your message
Investec content scanning has stopped the following message:
Message: BB002e9963.00000001.mml From: Jack.W.Parks@alltel.com To: VMeetoo@investec.co.mu Subject: Thank you!
Because it believes the message contains a virus. The virus scanning software used was: Sophos AntiVirus (SAVI2 Interface)
Virus name: W32/Sobig-F
Please clean the file and resend it.
Rule: Inbound Messages : Block Virus
participants (11)
-
Christopher Chin -
Haesu -
Jack.W.Parks@alltel.com -
jlewis@lewis.org -
just me -
Mr. James W. Laferriere -
Nathan A. Stratton -
Omachonu Ogali -
Pascal Gloor -
Richard Irving -
william+nanog@hq.dreamhost.com