[Dshield] "Your IP was logged" Spam/Virus

Mark markt442 at yahoo.com
Wed Nov 23 01:07:09 GMT 2005


Yup, rec'd 15 from one IP address (BellSouth) over
nearly a 12 hour period.

I have recorded the following table (all transmissions
on 11/22/05):

Time		Topic				Src IP		Spoofed Address
11:16:28	Your IP was logged		68.221.13.5	Admin at fbi.gov
10:14:13	Registration Confirmation	68.221.13.5
webmaster at alamance.cc.nc.us
9:34:20		Mail delivery failed		68.221.13.5
postmaster at domail.maricopa.edu
8:52:42		Your Password			68.221.13.5
postman at cbts.cinbell.com
5:40:56		Your IP was logged		68.221.13.5
Office at cia.gov
5:37:54		Your IP was logged		68.221.13.5	Post at fbi.gov
5:14:48		Registration Confirmation	68.221.13.5
hostmaster at unisys.com
4:08:26		Paris_Hilton_&_Nicole_Richie	68.221.13.5
info at lowes.com
3:37:53		Paris_Hilton_&_Nicole_Richie	68.221.13.5
Admin at zonelabs.com
3:22:25		Your IP was logged		68.221.13.5	Mail at fbi.gov
2:39:21		Mail delivery failed		68.221.13.5
office at roanoke.cc.nc.us
2:25:30		Your IP was logged		68.221.13.5	Admin at cia.gov
1:55:07		hi, ive a new mail address	68.221.13.5
BRANDON at ad.funnel.revenuedirect.com.akadns.net
0:20:40		Your Password			68.221.13.5	office at thawte.com
0:19:08		Registration Confirmation	68.221.13.5
postman at carteret.edu


Interesting to see how the single site rolled thru
messages and spoofed addresses. Of course the IP may
have been spoofed (Bellsouth), but it is a "live" IP
and doesn't appear to respond to scans of a few common
ports - suggesting either a closed system (it does
respond to a ping).

BTW - Port scans are still legal AFAIK - but I have no
intention of making a connection.

-Mark

From:	"Scott Fendley" <scottf at uark.edu>
Subject:	Re: [Dshield] "Your IP was logged" Spam/Virus
Date:	Mon, 21 Nov 2005 17:24:47 -0600

Yup.  This appears to be a new Sober variation.
(sober.Y) going 
around today.  What a busy day it has been.


At 03:05 PM 11/21/2005, Wayne Beckham wrote:
>Is anyone else seeing a recurrence of these spoofed
messages 
purporting to
>be from the FBI, CIA, etc?  I've had a couple of
users report them in 
the
>last two hours.
>
>Probably nothing, but I just wondered if anyone else
was seeing 
them...
>
>- Wayne


		
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com


More information about the list mailing list