[unisog] Sobig.f and no actual messages]]

Russell Fulton r.fulton at auckland.ac.nz
Thu Aug 28 23:04:54 GMT 2003


-----Forwarded Message-----
From: Bojan Zdrnja <b.zdrnja at auckland.ac.nz>
To: 'Russell Fulton' <r.fulton at auckland.ac.nz>
Subject: RE: [Fwd: [unisog] Sobig.f and no actual messages]
Date: 29 Aug 2003 09:23:56 +1200

Yep,

In some cases Sobig-F does that to check if the server will allow him to
relay e-mail through it.
It might check with different from and rcpt to addresses, to see if
everything is ok and then fire up it's flood.

Bojan

> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz] 
> Sent: Friday, 29 August 2003 8:51 a.m.
> To: Bojan Zdrnja
> Subject: [Fwd: [unisog] Sobig.f and no actual messages]
> 
> 
> Are we seeing this?
> 
> -----Forwarded Message-----
> From: Richard Hopkins <Richard.Hopkins at bristol.ac.uk>
> To: unisog at sans.org
> Subject: [unisog] Sobig.f and no actual messages
> Date: 28 Aug 2003 12:16:51 +0100
> 
> 
> I noticed yesterday that local systems infected with Sobig.f 
> are making 
> repeated connections to the MX hosts of our domain (no 
> surprises there ;-)
> 
> However, all they appear to be doing when they do is connect, 
> issue an HELO 
> (or EHLO), issue a MAIL FROM:, issue an RCPT TO: and then 
> disconnect (they 
> don't appear to enter into the data transfer phase, nor issue a QUIT).
> 
> I've only got limited monitoring facilities available to me on the MX 
> hosts, but the above is what *appears* to be happening.
> 
> Anyone else seen this?
> 
> Cheers,
> 
> Richard Hopkins,
> Information Services,
> Computer Centre,
> University of Bristol,
> Bristol, BS8 1UD, UK
> 
> Tel +44 117 928 7859
> Fax +44 117 929 1576

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list