[Dshield] Accidental inoculation against SoBig?

Jon R. Kibler Jon.Kibler at aset.com
Thu Aug 21 14:04:43 GMT 2003

Greetings all:

I have noticed two trends in recent days that have had me really concerned. In fact, to say I have been totally baffled would be an understatement.

The first trend I noticed was an ever increasing number of systems performing VERY aggressive port scans of our MTAs. In most cases, the host probing the MTA would repeat the probe anywhere from 10 to 200+ times an hour for hours (or, in some cases, days) on end. These are almost always originating from DSL or Cable connections, thus I assumed that they were some new proxy server that our checks did not identify.

The other trend I noticed REALLY REALLY REALLY bothered me: We were get NO (zero! none! nada!) SoBig hits. This had me concerned to the point that yesterday I spent all day (like 19+ hours) upgrading our A-V engine and switching from AMaViS to MIMEDefang on all of our mail servers, thinking there had to be a problem in one of those components.

When I first got up this morning, I logged in to several of our mail server from the house and checked the log files. Still NO SoBig hits! At this point I was totally confused.

Then, in the shower (which is where I do some of my best thinking!), I recalled someone mentioning yesterday that SoBig runs its own SMTP engine. Then I also remembered that in the past we have had problems with some really old SMTP servers gagging on our MTA's connection greeting; we have all rather large multi-line 220 message that used to cause some problems.

Then it hit me -- could SoBig's SMTP engine be gagging on our 220 greeting message? If so, then that could account for both of the trends I have been worrying about. It could be that we have not received any SoBig hits because it cannot connect to any of our MTAs successfully. SoBig could also be repeatedly trying these connections, and that could account for the aggressive port scans.

Any thoughts on this? Could we have accidentally inoculated ourselves against SoBig by having a large greeting message that it cannot handle?

Feedback appreciated.

Oh, by the way, do NOT try to telnet to any of our MTAs to read the greeting -- you will be automatically blocked as a potential spammer. If you want a copy, contact me off list.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

More information about the list mailing list