[unisog] Sobig.f and no actual messages]]
r.fulton at auckland.ac.nz
Thu Aug 28 23:04:54 GMT 2003
From: Bojan Zdrnja <b.zdrnja at auckland.ac.nz>
To: 'Russell Fulton' <r.fulton at auckland.ac.nz>
Subject: RE: [Fwd: [unisog] Sobig.f and no actual messages]
Date: 29 Aug 2003 09:23:56 +1200
In some cases Sobig-F does that to check if the server will allow him to
relay e-mail through it.
It might check with different from and rcpt to addresses, to see if
everything is ok and then fire up it's flood.
> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> Sent: Friday, 29 August 2003 8:51 a.m.
> To: Bojan Zdrnja
> Subject: [Fwd: [unisog] Sobig.f and no actual messages]
> Are we seeing this?
> -----Forwarded Message-----
> From: Richard Hopkins <Richard.Hopkins at bristol.ac.uk>
> To: unisog at sans.org
> Subject: [unisog] Sobig.f and no actual messages
> Date: 28 Aug 2003 12:16:51 +0100
> I noticed yesterday that local systems infected with Sobig.f
> are making
> repeated connections to the MX hosts of our domain (no
> surprises there ;-)
> However, all they appear to be doing when they do is connect,
> issue an HELO
> (or EHLO), issue a MAIL FROM:, issue an RCPT TO: and then
> disconnect (they
> don't appear to enter into the data transfer phase, nor issue a QUIT).
> I've only got limited monitoring facilities available to me on the MX
> hosts, but the above is what *appears* to be happening.
> Anyone else seen this?
> Richard Hopkins,
> Information Services,
> Computer Centre,
> University of Bristol,
> Bristol, BS8 1UD, UK
> Tel +44 117 928 7859
> Fax +44 117 929 1576
Russell Fulton, Network Security Officer, The University of Auckland,
More information about the unisog