OK. I think I get it. You had identified the oncbuv.com <http://oncbuv.com>address as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage.
Thanks Mike I will check the next batch I receive (I hope I don't) for the same address On 5/16/05, Bart Silverstrim <[EMAIL PROTECTED]> wrote: > > > On May 16, 2005, at 9:00 AM, Mike Blonder wrote: > > > I am also getting inundated with German gibberish spam. Would you mind > > explaining the significance (if any) of the email address that you > > posted? I > > am finding that the German Gibberish garbage is spoofing a different > > email > > address with each posting. > > I'm new to the sleuthing aspect, so forgive me if I'm offbase > here...(education/explanations always welcome! Plus it's made harder > because the messages I have to work with are on a Unix system and > managled headers off an Exchange final destination) > > I know that usually they alter the headers and spoof (viruses, that is) > but I thought it strange that we've been hammered by sober.p with that > same address showing up over and over again in our amavis logs : > # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l > 16546 > > Usually it should vary things, I'd think. But then one of the first > german gibberish messages I had found in a mailbox had the following > right in the header: > > Received: from oncsbuv.com <http://oncsbuv.com> <http://oncsbuv.com> > > (aolclient-24-25-128-223.aol.nycap.res.rr.com<http://aolclient-24-25-128-223.aol.nycap.res.rr.com> > <http://aolclient-24-25 > > -128-223.aol.nycap.res.rr.com <http://128-223.aol.nycap.res.rr.com>>[ > > 24.25.128.223 <http://24.25.128.223> <http://24.25.128.223>]) > > Coincidence? The first set I grepped was the IP of Sober.P's being > stopped at the bastion server over the past couple weeks looking for > that specific IP name. The second was a sample german message that > managed to find it's way to the administrator mail account on the > exchange server. > > I mean,...spoofing I understand, and expect...but is it really > coincidental that these just happened to hit that IP? That's why I > wondered if maybe there wasn't a link between the two...that sober.p is > now a mass mailing spam tool. > > Are there any analysis papers out on sober.p yet? And can anyone else > corroborate the theory I have, or am I totally off-base here? I'm > still trying to figure it out from what I can piece together between > phone calls for other tasks here :-) > > _______________________________________________ > http://lurker.clamav.net/list/clamav-users.html > _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
