[Dshield] Upsurge in SoBig?

John Sage jsage at finchhaven.com
Sat Sep 6 16:36:46 GMT 2003


On Sat, Sep 06, 2003 at 11:12:14AM -0500, Doug White wrote:
> I am seeing a significant increase in spam routed through IP numbers
> that have been hitting me on port 135.

When you say "spam" do you mean true spam, in the sense that it's the
usual (fat lips|enlarged penis|low mortgage rate) kinda stuff?

> Does this mean that these IP numbers have been made into unwitting
> proxy servers due to infection by the SoBig.F Worm and that the
> spammers are now starting to exploit them?

This was discussed in several forums, with the conspiracy theorists
going so far as to state that SoBig was a spammer-originated plague,
specificall intended to create mass, new open relays..

The jury is still out on that specific motive, but the effect (open
spam relaying) does seem to be confirmed, IIRC...

> I am also being hammered by SoBig infected emails crafted as
> bounces, but from a few (about 20) sources.

See my other post; I have now 155+ from:

Received: from INTERNET_3 ([])

apparently in Portugal, alone, all since about 2:00am PDT this

- John
"Warning: time of day goes back, taking countermeasures."

More information about the list mailing list