On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote:
[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 Maybe you should have simply entered it into google? I'm quite sure that google would have lead you to the right place. Yes, google can search for german strings too! IMOH ;-)
I did enter it in when I first discovered it, but there were no hits. I thought perhaps it was too new at the time, and then turned to the lists to corroborate what I was seeing.
and the text appears to be just a link to a website...?
Yes, it is. Many of them are pointing to websites of reputated printed newletters/magazins like "Der Spiegel".
Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters...or at least not enough to cross the threshold of spam vs. regular mail.
Perhaps we now know what happened to sober.p?
See:
http://www.viruslist.com/en/weblog
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM%5FSOBER%2EU&VSect=P
Details in german:
http://www.heise.de/newsticker/meldung/59562
Well...I'm somewhat proud of myself that so far my hunches and (amateurish) deductions had me on the right track :-)
(anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?)
Write complaints to the owners of the IP blocks! The "MAIL FROM" is always faked. The URL-owner is mostly "innocent" too.
Block all mails from dynamic IP. They are 99,99% spam.
Is there a way to do that with the access file/postmap in postfix? Block sender IP's/IP blocks?
I thought it was odd that our hammering from particular sober.p infections were consistent in IP. If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over?
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
