Hi Please see http://www.theregister.co.uk/2005/05/16/sober_spews_spam/
Rgds John Taylor Network & Security Manager Synstar -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Blonder Sent: 16 May 2005 15:00 To: ClamAV users ML Subject: Re: [Clamav-users] sober.p and german adverts? OK. I think I get it. You had identified the oncbuv.com <http://oncbuv.com>address as a source for the sober.p garbage earlier and now it is showing up with the German gibberish garbage. Thanks Mike I will check the next batch I receive (I hope I don't) for the same address On 5/16/05, Bart Silverstrim <[EMAIL PROTECTED]> wrote: > > > On May 16, 2005, at 9:00 AM, Mike Blonder wrote: > > > I am also getting inundated with German gibberish spam. Would you > > mind explaining the significance (if any) of the email address that > > you posted? I am finding that the German Gibberish garbage is > > spoofing a different email address with each posting. > > I'm new to the sleuthing aspect, so forgive me if I'm offbase > here...(education/explanations always welcome! Plus it's made harder > because the messages I have to work with are on a Unix system and > managled headers off an Exchange final destination) > > I know that usually they alter the headers and spoof (viruses, that > is) but I thought it strange that we've been hammered by sober.p with > that same address showing up over and over again in our amavis logs : > # grep 24-25-128-223 amavis.log|grep Sober.P |wc -l > 16546 > > Usually it should vary things, I'd think. But then one of the first > german gibberish messages I had found in a mailbox had the following > right in the header: > > Received: from oncsbuv.com <http://oncsbuv.com> <http://oncsbuv.com> > > (aolclient-24-25-128-223.aol.nycap.res.rr.com<http://aolclient-24-25 > > -128-223.aol.nycap.res.rr.com> > <http://aolclient-24-25 > > -128-223.aol.nycap.res.rr.com > > <http://128-223.aol.nycap.res.rr.com>>[ > > 24.25.128.223 <http://24.25.128.223> <http://24.25.128.223>]) > > Coincidence? The first set I grepped was the IP of Sober.P's being > stopped at the bastion server over the past couple weeks looking for > that specific IP name. The second was a sample german message that > managed to find it's way to the administrator mail account on the > exchange server. > > I mean,...spoofing I understand, and expect...but is it really > coincidental that these just happened to hit that IP? That's why I > wondered if maybe there wasn't a link between the two...that sober.p > is now a mass mailing spam tool. > > Are there any analysis papers out on sober.p yet? And can anyone else > corroborate the theory I have, or am I totally off-base here? I'm > still trying to figure it out from what I can piece together between > phone calls for other tasks here :-) > > _______________________________________________ > http://lurker.clamav.net/list/clamav-users.html > _______________________________________________ http://lurker.clamav.net/list/clamav-users.html _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
