[unisog] sobig.f SMTP hosts?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Aug 20 18:55:02 GMT 2003

On Wed, 20 Aug 2003 11:30:16 PDT, "Pollock, Joseph" <PollockJ at evergreen.edu>  said:

> Is this one using the SMTP host confgured on the victim's machine?  If this
> is the case, a number of my users may be able to contact the infected
> machine's owner.  If this is not the case, I don't want them to waste their
> time trying.

Check the series of Received: lines in the header, that's what they're there for.

You should be able to quickly identify what SMTP host was actually used.  At least
for Sobig-F, the first (bottom-most) Received: should say exactly what host was
infected, and what mail server received it.

If the mail host isn't logging the IP address, or you're unable to convert from
an IP address to a jack/office/location, you have bigger management issues you
probably want to address....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030820/a6b2b4d6/attachment-0003.bin

More information about the unisog mailing list