Sobig.f and no actual messages

Richard Hopkins Richard.Hopkins at bristol.ac.uk
Thu Aug 28 11:16:51 GMT 2003


I noticed yesterday that local systems infected with Sobig.f are making 
repeated connections to the MX hosts of our domain (no surprises there ;-)

However, all they appear to be doing when they do is connect, issue an HELO 
(or EHLO), issue a MAIL FROM:, issue an RCPT TO: and then disconnect (they 
don't appear to enter into the data transfer phase, nor issue a QUIT).

I've only got limited monitoring facilities available to me on the MX 
hosts, but the above is what *appears* to be happening.

Anyone else seen this?

Cheers,

Richard Hopkins,
Information Services,
Computer Centre,
University of Bristol,
Bristol, BS8 1UD, UK

Tel +44 117 928 7859
Fax +44 117 929 1576



More information about the unisog mailing list