[unisog] sobig.f SMTP hosts?
PollockJ at evergreen.edu
Wed Aug 20 20:35:35 GMT 2003
I've been curious about this aspect of the server because my final hop
records have been showing hosts that do not appear to be desktop hosts/dhcp
addresses and the like. I know some other viruses have used relays even
though they contained their own SMTP engine, and some discussion of spam
relay trojans indicates that a preferred mode of operation may be to use
such a relay host because it is likely more powerful than the desktop.
From: H. Morrow Long [mailto:morrow.long at yale.edu]
Sent: Wednesday, August 20, 2003 1:20 PM
To: Pollock, Joseph
Cc: 'unisog at sans.org'
Subject: Re: [unisog] sobig.f SMTP hosts?
From what I've seen of the Sobig.F mail 'server' (SMTP
outgoing engine) it appears to function as a 'smart' host
(e.g. it can do full DNS resolution, finds MX records, etc)
and it therefore doesn't need the services of a smarter
SMTP server but can function fine completely standalone
(e.g. it doesn't appear to use the SMTP host setting on
the user's email client).
H. Morrow Long, CISSP
Director - Information Security
Yale University, ITS
Pollock, Joseph wrote:
> Like everyone else, we're seeing a lot of sobig.f delivered to the campus.
> I've looked at the tech descriptions from the major antivirus vendors, and
> they all agree that the virus has its own SMTP engine, but unlike some
> previous advisories, there is no list of SMTP servers used by the virus.
> Is this one using the SMTP host confgured on the victim's machine? If
> is the case, a number of my users may be able to contact the infected
> machine's owner. If this is not the case, I don't want them to waste
> time trying.
> Joe Pollock
> Network Services
> The Evergreen State College
More information about the unisog