[Dshield] Upsurge in SoBig?

Doug White doug at clickdoug.com
Sat Sep 6 16:12:14 GMT 2003

I am seeing a significant increase in spam routed through IP numbers that have
been hitting me on port 135.

Does this mean that these IP numbers have been made into unwitting proxy servers
due to infection by the SoBig.F Worm and that the spammers are now starting to
exploit them?

I am also being hammered by SoBig infected emails crafted as bounces, but from a
few (about 20) sources.
The origin is spoofed in the email headers, but I have been tracking the source
IP numbers via the mail logs on the server.  A couple of these are trying to
deliver infected emails at the rate of 50 per hour.   So far I have been able to
block most of the  IP numbers at the firewall, but it does seem to be a growing
menace again.

Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "John Sage" <jsage at finchhaven.com>
To: <list at dshield.org>
Sent: Saturday, September 06, 2003 9:59 AM
Subject: [Dshield] Upsurge in SoBig?

| I've seen a significant upsurge in apparent SoBig infected email since
| about 2:00am PDT.
| At 8:00 PDT, I've 145 "new" email filtered by procmail, all of which
| seem to be SoBig infected :-/
| - John
| -- 
| "Warning: time of day goes back, taking countermeasures."
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list