[unisog] Sobig.f and no actual messages]]

Richard Hopkins Richard.Hopkins at bristol.ac.uk
Wed Sep 3 08:01:07 GMT 2003


What surprises me is the ratio I'm seeing of hits from Sobig.F infected 
systems to the number of messages submitted. One locally infected PC, for 
example, hit one of our mail exchangers 5,383 times last week but only 
actually sent 1 message; it hit our other mail exchanger 8,828 times and 
submitted zero. As I write, I can see that a remote system is hitting us 
similarly (issuing a MAIL FROM: and and RCPT TO: but no actual message). 
Over the last 3 days we've taken 27,320 hits from it (on one of our mail 
exchanges), but seen zero actual messages from it.

Cheers,

Richard

--On Friday, August 29, 2003 11:04 AM +1200 Russell Fulton 
<r.fulton at auckland.ac.nz> wrote:

> -----Forwarded Message-----
> From: Bojan Zdrnja <b.zdrnja at auckland.ac.nz>
> To: 'Russell Fulton' <r.fulton at auckland.ac.nz>
> Subject: RE: [Fwd: [unisog] Sobig.f and no actual messages]
> Date: 29 Aug 2003 09:23:56 +1200
>
> Yep,
>
> In some cases Sobig-F does that to check if the server will allow him to
> relay e-mail through it.
> It might check with different from and rcpt to addresses, to see if
> everything is ok and then fire up it's flood.
>
> Bojan
>
>> -----Original Message-----
>> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
>> Sent: Friday, 29 August 2003 8:51 a.m.
>> To: Bojan Zdrnja
>> Subject: [Fwd: [unisog] Sobig.f and no actual messages]
>>
>>
>> Are we seeing this?
>>
>> -----Forwarded Message-----
>> From: Richard Hopkins <Richard.Hopkins at bristol.ac.uk>
>> To: unisog at sans.org
>> Subject: [unisog] Sobig.f and no actual messages
>> Date: 28 Aug 2003 12:16:51 +0100
>>
>>
>> I noticed yesterday that local systems infected with Sobig.f
>> are making
>> repeated connections to the MX hosts of our domain (no
>> surprises there ;-)
>>
>> However, all they appear to be doing when they do is connect,
>> issue an HELO
>> (or EHLO), issue a MAIL FROM:, issue an RCPT TO: and then
>> disconnect (they
>> don't appear to enter into the data transfer phase, nor issue a QUIT).
>>
>> I've only got limited monitoring facilities available to me on the MX
>> hosts, but the above is what *appears* to be happening.
>>
>> Anyone else seen this?
>>
>> Cheers,
>>
>> Richard Hopkins,
>> Information Services,
>> Computer Centre,
>> University of Bristol,
>> Bristol, BS8 1UD, UK
>>
>> Tel +44 117 928 7859
>> Fax +44 117 929 1576
>
> --
> Russell Fulton, Network Security Officer, The University of Auckland,
> New Zealand.
>



Richard Hopkins,
Information Services,
Computer Centre,
University of Bristol,
Bristol, BS8 1UD, UK

Tel +44 117 928 7859
Fax +44 117 929 1576



More information about the unisog mailing list