[Dshield] Upsurge in SoBig?

John Sage jsage at finchhaven.com
Sat Sep 6 16:16:51 GMT 2003


On Sat, Sep 06, 2003 at 07:59:46AM -0700, John Sage wrote:
> I've seen a significant upsurge in apparent SoBig-infected email since
> about 2:00am PDT.
> 
> At 8:00 PDT, I've 145 "new" email filtered by procmail, all of which
> seem to be SoBig infected :-/

To look at them (now 155+) they all, without exception, have this
initial "Received: " line in the header:

<snip>
Received: from INTERNET_3 ([213.228.165.3])
        by mx1.eskimo.com (8.9.3/8.8.8) with ESMTP id JAA16678
        for <jsage at finchhaven.com>; Sat, 6 Sep 2003 09:02:29 -0700
From: support at astonsoft.com
Message-Id: <200309061602.JAA16678 at mx1.eskimo.com>
To: <jsage at finchhaven.com>
Subject: Your details
<snip>


[jsage at sparky /storage/virii] $ whois 213.228.165.3
BW whois 3.4 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2003 William E. Weinman
Request: 213.228.165.3
connected to whois.arin.net [192.149.252.43:43] ...
connected to whois.ripe.net [193.0.0.135:43] ...
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
 
inetnum:      213.228.128.0 - 213.228.191.255
netname:      PT-CABOVISAO-20000410
descr:        PROVIDER
descr:        Cabovisao, televisao por cabo, SA
country:      PT
admin-c:      AF3163-RIPE
tech-c:       VC1011-RIPE
status:       ALLOCATED PA
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    AS13156-MNT
mnt-routes:   AS13156-MNT
changed:      hostmaster at ripe.net 20000410
changed:      hostmaster at ripe.net 20010116
changed:      lir-help at ripe.net 20011214
source:       RIPE



- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list