[Dshield] Upsurge in SoBig?

Joe Stewart jstewart at lurhq.com
Mon Sep 8 14:06:58 GMT 2003

On Sunday 07 September 2003 08:42 pm, John D. wrote:
> One of the things we really want,  is to find someone infected that
> previously sent me a copy of the Sobig,   then get them to send me another
> message from their machine so we can compare the mail headers,  which is
> going to give us a good idea of how to fingerprint the proxy servers they
> install on infected machines.   With this informaion,  we should be able to
> identify without a doubt if this was a proxy installed through the proxy or
> virus.
> With this fingerprint info,  we can then identiify spam channelled through
> this method.

If they send it through the HTTP or SOCKS proxy there will be nothing 
appended to the headers you could use to fingerprint the proxy. If they
send it through the SMTP service, you will see this sobig-specific,
fingerprintable header added:

Received: From me (unverified [me]) by me [me]
 (SKRTgan SMTP Receiver v6.0y) with SMTP id <local>;

Unfortunately most spammers who use the Sobig proxies use HTTP or SOCKS.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation

More information about the list mailing list