[Dshield] Accidental inoculation against SoBig?

Doug White doug at clickdoug.com
Thu Aug 21 15:12:13 GMT 2003

Just for info my AmaVIS has trapped 25 SoBig emails.

Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Thursday, August 21, 2003 9:04 AM
Subject: [Dshield] Accidental inoculation against SoBig?

| Greetings all:
| I have noticed two trends in recent days that have had me really concerned. In
fact, to say I have been totally baffled would be an understatement.
| The first trend I noticed was an ever increasing number of systems performing
VERY aggressive port scans of our MTAs. In most cases, the host probing the MTA
would repeat the probe anywhere from 10 to 200+ times an hour for hours (or, in
some cases, days) on end. These are almost always originating from DSL or Cable
connections, thus I assumed that they were some new proxy server that our checks
did not identify.
| The other trend I noticed REALLY REALLY REALLY bothered me: We were get NO
(zero! none! nada!) SoBig hits. This had me concerned to the point that
yesterday I spent all day (like 19+ hours) upgrading our A-V engine and
switching from AMaViS to MIMEDefang on all of our mail servers, thinking there
had to be a problem in one of those components.
| When I first got up this morning, I logged in to several of our mail server
from the house and checked the log files. Still NO SoBig hits! At this point I
was totally confused.
| Then, in the shower (which is where I do some of my best thinking!), I
recalled someone mentioning yesterday that SoBig runs its own SMTP engine. Then
I also remembered that in the past we have had problems with some really old
SMTP servers gagging on our MTA's connection greeting; we have all rather large
multi-line 220 message that used to cause some problems.
| Then it hit me -- could SoBig's SMTP engine be gagging on our 220 greeting
message? If so, then that could account for both of the trends I have been
worrying about. It could be that we have not received any SoBig hits because it
cannot connect to any of our MTAs successfully. SoBig could also be repeatedly
trying these connections, and that could account for the aggressive port scans.
| Any thoughts on this? Could we have accidentally inoculated ourselves against
SoBig by having a large greeting message that it cannot handle?
| Feedback appreciated.
| Oh, by the way, do NOT try to telnet to any of our MTAs to read the
greeting -- you will be automatically blocked as a potential spammer. If you
want a copy, contact me off list.
| Jon R. Kibler
| A.S.E.T., Inc.
| Charleston, SC  USA
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list