[unisog] Sobig.f and no actual messages]]
Richard.Hopkins at bristol.ac.uk
Wed Sep 3 08:01:07 GMT 2003
What surprises me is the ratio I'm seeing of hits from Sobig.F infected
systems to the number of messages submitted. One locally infected PC, for
example, hit one of our mail exchangers 5,383 times last week but only
actually sent 1 message; it hit our other mail exchanger 8,828 times and
submitted zero. As I write, I can see that a remote system is hitting us
similarly (issuing a MAIL FROM: and and RCPT TO: but no actual message).
Over the last 3 days we've taken 27,320 hits from it (on one of our mail
exchanges), but seen zero actual messages from it.
--On Friday, August 29, 2003 11:04 AM +1200 Russell Fulton
<r.fulton at auckland.ac.nz> wrote:
> -----Forwarded Message-----
> From: Bojan Zdrnja <b.zdrnja at auckland.ac.nz>
> To: 'Russell Fulton' <r.fulton at auckland.ac.nz>
> Subject: RE: [Fwd: [unisog] Sobig.f and no actual messages]
> Date: 29 Aug 2003 09:23:56 +1200
> In some cases Sobig-F does that to check if the server will allow him to
> relay e-mail through it.
> It might check with different from and rcpt to addresses, to see if
> everything is ok and then fire up it's flood.
>> -----Original Message-----
>> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
>> Sent: Friday, 29 August 2003 8:51 a.m.
>> To: Bojan Zdrnja
>> Subject: [Fwd: [unisog] Sobig.f and no actual messages]
>> Are we seeing this?
>> -----Forwarded Message-----
>> From: Richard Hopkins <Richard.Hopkins at bristol.ac.uk>
>> To: unisog at sans.org
>> Subject: [unisog] Sobig.f and no actual messages
>> Date: 28 Aug 2003 12:16:51 +0100
>> I noticed yesterday that local systems infected with Sobig.f
>> are making
>> repeated connections to the MX hosts of our domain (no
>> surprises there ;-)
>> However, all they appear to be doing when they do is connect,
>> issue an HELO
>> (or EHLO), issue a MAIL FROM:, issue an RCPT TO: and then
>> disconnect (they
>> don't appear to enter into the data transfer phase, nor issue a QUIT).
>> I've only got limited monitoring facilities available to me on the MX
>> hosts, but the above is what *appears* to be happening.
>> Anyone else seen this?
>> Richard Hopkins,
>> Information Services,
>> Computer Centre,
>> University of Bristol,
>> Bristol, BS8 1UD, UK
>> Tel +44 117 928 7859
>> Fax +44 117 929 1576
> Russell Fulton, Network Security Officer, The University of Auckland,
> New Zealand.
University of Bristol,
Bristol, BS8 1UD, UK
Tel +44 117 928 7859
Fax +44 117 929 1576
More information about the unisog