[Dshield] SoBig and spoofing

Doug White doug at clickdoug.com
Wed Sep 3 07:20:23 GMT 2003

I am receiving about 750 infected emails daily that show one IP number in my
mail server log, but different header information in the actual mail.

I am blocking the IP number at the perimeter of the server, however, the emails
seem to still be coming through (no biggie except for the traffic, the
anti-virus is catching all of them.)

Here are a few lines from the mail server, followed by the email header

Sep  3 01:39:06 GULF postfix/smtpd[2854]: connect from
Sep  3 01:39:08 GULF postfix/smtpd[2854]: 6A44D3E0070:
Sep  3 01:39:09 GULF postfix/smtpd[2854]: reject: RCPT from
adsl-68-73-64-36.dsl.klmzmi.ameritech.net[]: 504 <JERRY>: Helo
command rejected: need fully-qualified hostname; from=<refresh1971 at yahoo.com>

mail header :

The mail originated from: <>
Received: from newmail.webcc.net (newmail.webcc.net [])
by GULF.clickdoug.com (Postfix) with ESMTP id 94AA43E0070
for <munged>; Wed,  3 Sep 2003 01:20:17 -0500 (CDT)
Received: by newmail.webcc.net (PowerLinux Mail Daemon)
id B15267E0BB2; Tue,  2 Sep 2003 23:23:48 -0700 (PDT)
Date: Tue,  2 Sep 2003 23:23:48 -0700 (PDT)
From: MAILER-DAEMON at webcc.net (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: munged client address
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
Message-Id: <20030903062348.B15267E0BB2 at newmail.webcc.net>

This appears to be crafted as a bounced email with the worm attached.

What I can't figure out is how it appears different in the server log, and the
actual header, and also how to block them at the perimeter, as well as to who to

Any comments from a guru out there?

Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!

More information about the list mailing list