[Dshield] Upsurge in SoBig?

John Sage jsage at finchhaven.com
Mon Sep 8 04:46:12 GMT 2003


hmm..

On Sun, Sep 07, 2003 at 05:34:06PM -0700, John D. wrote:
> >I've seen a significant upsurge in apparent SoBig infected email since
> >about 2:00am PDT.
> >
> >At 8:00 PDT, I've 145 "new" email filtered by procmail, all of which
> >seem to be SoBig infected :-/
> 
> You'll see an upsurge on these as School is just starting, and
> students are returning from summer break.   Not all Universities
> have a strict policy on preventing students from connecting to the
> internet without getting their PC's dis-infected.   A ivytech.edu
> student was hammering our network with more then 1000 copies daily
> until i tracked it down and contacted their IT dept and brought it
> to their attention. The mailings stopped soon afterwards.
*/ snip */


Actually, this particular burst (211 total, timespan starting Sat, 6
Sep 2003 10:07:58 +0100, ending Sat, 6 Sep 2003 21:34:26 +0100) were
all virtually identical in their headers, being sourced "Received:
from INTERNET_3 ([213.228.165.3])"

The first:

/* snip */
Received: from INTERNET_3 ([213.228.165.3])
        by mx1.eksimo.com (8.9.3/8.8.8) with ESMTP id CAA18720
        for <jsage at finchhaven.com>; Sat, 6 Sep 2003 02:07:57 -0700
From: matthias.weisgerber at uni-konstanz.de
Message-Id: <200309060907.CAA18720 at mx1.eksimo.com>
To: <jsage at finchhaven.com>
Subject: Re: Wicked screensaver
Date: Sat, 6 Sep 2003 10:07:58 +0100
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="_NextPart_000_03708C59"
X-UIDL: adi!!KD\"!/%("!Z-C!!
Status: RO
Content-Length: 100992
Lines: 1324
/* snip */

and the last:

/* snip */
Received: from INTERNET_3 ([213.228.165.3])
        by mx1.eksimo.com (8.9.3/8.8.8) with ESMTP id NAA19652
        for <jsage at finchhaven.com>; Sat, 6 Sep 2003 13:34:24 -0700
From: 20info at subseven.de
Message-Id: <200309062034.NAA19652 at mx1.eksimo.com>
To: <jsage at finchhaven.com>
Subject: Re: That movie
Date: Sat, 6 Sep 2003 21:34:26 +0100
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="_NextPart_000_05E4F5B3"
X-UIDL: -F[!!9')"!9o%#!&f"#!
Status: O
Content-Length: 102218
Lines: 1340
/* snip */


Actually, the only variation was in "From: ", "Subject: ", "boundary=
", "X-UIDL: ", "Content-Length: ", and in "Lines: " and those
variations were very minor...


- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list