[Dshield] Upsurge in SoBig?
jsage at finchhaven.com
Sat Sep 6 16:16:51 GMT 2003
On Sat, Sep 06, 2003 at 07:59:46AM -0700, John Sage wrote:
> I've seen a significant upsurge in apparent SoBig-infected email since
> about 2:00am PDT.
> At 8:00 PDT, I've 145 "new" email filtered by procmail, all of which
> seem to be SoBig infected :-/
To look at them (now 155+) they all, without exception, have this
initial "Received: " line in the header:
Received: from INTERNET_3 ([126.96.36.199])
by mx1.eskimo.com (8.9.3/8.8.8) with ESMTP id JAA16678
for <jsage at finchhaven.com>; Sat, 6 Sep 2003 09:02:29 -0700
From: support at astonsoft.com
Message-Id: <200309061602.JAA16678 at mx1.eskimo.com>
To: <jsage at finchhaven.com>
Subject: Your details
[jsage at sparky /storage/virii] $ whois 188.8.131.52
BW whois 3.4 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2003 William E. Weinman
connected to whois.arin.net [184.108.40.206:43] ...
connected to whois.ripe.net [220.127.116.11:43] ...
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 18.104.22.168 - 22.214.171.124
descr: Cabovisao, televisao por cabo, SA
status: ALLOCATED PA
changed: hostmaster at ripe.net 20000410
changed: hostmaster at ripe.net 20010116
changed: lir-help at ripe.net 20011214
"Warning: time of day goes back, taking countermeasures."
More information about the list