[Dshield] Pattern in SoBig attacks?

Doug White doug at clickdoug.com
Mon Sep 1 17:48:04 GMT 2003


My mail gateway is receiving around 250 SoBig infected emails per day coming
from a single IP number in the Ameritech net block.  This is from the server log
file.
adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36].  The computer sending
them is named JERRY.
None of this information is contained in  the email header as it is spoofing the
origin
Anyone else seeing these, or am I just lucky?

Following is a graph of my Snort alerts and how they are growing daily.



--------------------------------------------------------------------------------
 Time # of Alerts Alerts
      08/23/2003 0

      08/24/2003 16

      08/25/2003 5

      08/26/2003 9

      08/27/2003 11

      08/28/2003 29

      08/29/2003 21

      08/30/2003 47

      08/31/2003 100

      9/1/2003 23





======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!




More information about the list mailing list