Hijacked email
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Thoughts? Jack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 4:11 AM To: Parks, Jack W Cc: [EMAIL PROTECTED] Subject: MailMarshal has detected a Virus in your message Investec content scanning has stopped the following message: Message: BB002e9963.0001.mml From:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Thank you! Because it believes the message contains a virus. The virus scanning software used was: Sophos AntiVirus (SAVI2 Interface) Virus name: W32/Sobig-F Please clean the file and resend it. Rule: Inbound Messages : Block Virus
Re: Hijacked email
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. same here... seems the worm is not only using the adress book for targets, but also as sources.. Pascal
Re: Hijacked email
On Wed, 20 Aug 2003, Pascal Gloor wrote: Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. same here... seems the worm is not only using the adress book for targets, but also as sources.. Is this surprising to anyone? That's the way the past few Lookout Virus Express viruses have worked. The funny thing is, on this account, I've gotten zero copies that I've noticed...just lots of mail from various lists talking about it. On my work account, I've gotten several this morning and a bunch of bounces. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Hijacked email
On Wed, 20 Aug 2003 [EMAIL PROTECTED] wrote: Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Yep, my email is definitely being used. :( Nathan Stratton nathan at robotics.net http://www.robotics.net
Re: Hijacked email
Hello All , I have just seen several bounces from various places with my addy being used as well . JimL On Wed, 20 Aug 2003, Nathan A. Stratton wrote: On Wed, 20 Aug 2003 [EMAIL PROTECTED] wrote: Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Yep, my email is definitely being used. :( -- +--+ | James W. Laferriere | SystemTechniques | Give me VMS | | NetworkEngineer | P.O. Box 854 | Give me Linux | | [EMAIL PROTECTED] | Coudersport PA 16915 | only on AXP | +--+
Re: Hijacked email
Yup, seeing same. Spoofing to quite a few of our addresses and sending worms to everyone.. -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: [EMAIL PROTECTED] Cell: (978) 394-2867 On Wed, Aug 20, 2003 at 07:36:23AM -0500, [EMAIL PROTECTED] wrote: Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Thoughts? Jack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 4:11 AM To: Parks, Jack W Cc: [EMAIL PROTECTED] Subject: MailMarshal has detected a Virus in your message Investec content scanning has stopped the following message: Message: BB002e9963.0001.mml From:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Thank you! Because it believes the message contains a virus. The virus scanning software used was: Sophos AntiVirus (SAVI2 Interface) Virus name: W32/Sobig-F Please clean the file and resend it. Rule: Inbound Messages : Block Virus
Re: Hijacked email
For our Postfix viewers out there... header_checks: /^X-MailScanner: Found to be clean$/REJECT You're infected, but you probably won't see this message anyway. body_checks: /X-MailScanner: Found to be clean/ REJECT Please, stop sending me bounces/infection notices for spoofed virus spam. The last rule is kinda evil as it will block all mail with that line in the body (both incoming and outgoing), so know what you're doing before you blindly cut and paste.
Re: Hijacked email
Please people, of all the great feedback these joe jobbed addresses are receiving, from the anti-virus software... it really wouldn't hurt to include the -=IP=- (and possibly headers) of the system that contacted your server. Rather than simply complain, it would allow us to track down, and triangulate the -=real=- perp, an infected M$ machine or two (million). Thanks in Advance for useful data ! :D JMHO. Omachonu Ogali wrote: For our Postfix viewers out there... header_checks: /^X-MailScanner: Found to be clean$/REJECT You're infected, but you probably won't see this message anyway. body_checks: /X-MailScanner: Found to be clean/ REJECT Please, stop sending me bounces/infection notices for spoofed virus spam. The last rule is kinda evil as it will block all mail with that line in the body (both incoming and outgoing), so know what you're doing before you blindly cut and paste.
Hey netscalibur! (was: Re: Hijacked email)
Today at 10:40 (-0500), Richard Irving wrote: Date: Wed, 20 Aug 2003 10:40:25 -0500 From: Richard Irving [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Hijacked email Please people, of all the great feedback these joe jobbed addresses are receiving, from the anti-virus software... it really wouldn't hurt to include the -=IP=- (and possibly headers) of the system that contacted your server. Rather than simply complain, it would allow us to track down, and triangulate the -=real=- perp, an infected M$ machine or two (million). Okie doke is Netscalibur in the house? I might assume so based on the nanog-ish return address on the received e-mail from [195.157.87.253]. This IP is sourcing Sobig.F to me, and *as* me. The received mail: From [EMAIL PROTECTED] Wed Aug 20 10:03:00 2003 Received: from KYAN ([195.157.87.253]) by ack.Berkeley.EDU (8.11.3/8.11.3) with ESMTP id h7K9k2n04029 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 02:46:02 -0700 (PDT) Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Details Date: Wed, 20 Aug 2003 10:46:45 +0100 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_00623C6D Content-Length: 17 See the attached file for details [ Part 2, Application/OCTET-STREAM (Name: details.pif) 100KB. ] And the results of the joe-job: The original message was received at Wed, 20 Aug 2003 03:42:13 -0700 (PDT) from [195.157.87.253] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 [EMAIL PROTECTED]... No such mailbox) - Transcript of session follows - ... while talking to mail.sega.com.: RCPT To:[EMAIL PROTECTED] 550 [EMAIL PROTECTED]... No such mailbox 550 5.1.1 [EMAIL PROTECTED]... User unknown [ Part 2: Delivery Status ] Reporting-MTA: dns; postal.segasoft.com Received-From-MTA: DNS; [195.157.87.253] Arrival-Date: Wed, 20 Aug 2003 03:42:13 -0700 (PDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: DNS; mail.sega.com Diagnostic-Code: SMTP; 550 [EMAIL PROTECTED]... No such mailbox Last-Attempt-Date: Wed, 20 Aug 2003 03:42:19 -0700 (PDT) [ Part 3: Included Message ] Return-Path: [EMAIL PROTECTED] Received: from KYAN ([195.157.87.253]) by postal.segasoft.com (8.12.9/8.11.0) with ESMTP id h7KAgCbV004367 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 03:42:13 -0700 (PDT) Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Details Date: Wed, 20 Aug 2003 11:42:56 +0100 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_0095ABA4 Please see the attached file for details. [ Part 3.2, Application/OCTET-STREAM (Name: thank_you.pif) 101KB. ] [ Unable to print this part. ]
Re: Hey netscalibur! (was: Re: Hijacked email)
Today at 18:38 (+0100), Dan Houghton wrote: Date: Wed, 20 Aug 2003 18:38:43 +0100 From: Dan Houghton [EMAIL PROTECTED] To: Christopher Chin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Hey netscalibur! (was: Re: Hijacked email) [. . .] IP in question is in use by a Netscalibur UK customer. The RIPE whois record for the IP provides the abuse@ contact details (which is staffed and dealt with correctly) but also noticed you emailed onto [EMAIL PROTECTED] as well. I'll make sure that the NOC staff deal with it and get these stopped. Thanks for the quick response, Dan. It's great to hear that you have alert folks on the other end of both abuse@ and noc@ roles. As with most organizations, we have a fair amount of overlap between queries that arrive at abuse@, security@, and noc@, but we tend to handle operational issues via noc, and abuse@ is mostly for questionable behavior (intentional or otherwise) by our local users. With that in mind, I figured [EMAIL PROTECTED] would be the more appropriate address. Please do let me know (offline is OK too) if that is not your preference. Thanks, - Christopher
Re: Hey netscalibur! (was: Re: Hijacked email)
On Wed, 20 Aug 2003, Christopher Chin wrote: Okie doke is Netscalibur in the house? I might assume so based on the nanog-ish return address on the received e-mail from [195.157.87.253]. This IP is sourcing Sobig.F to me, and *as* me. The received mail: From [EMAIL PROTECTED] Wed Aug 20 10:03:00 2003 Received: from KYAN ([195.157.87.253]) I got six various examples from this exact machine, until I just nullrouted Netscalibur's /16. They have been the only virus messages I've seen so far. matto [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Re: Hijacked email
On Wed, Aug 20, 2003 at 11:28:27AM -0400, Omachonu Ogali wrote: For our Postfix viewers out there... header_checks: /^X-MailScanner: Found to be clean$/REJECT You're infected, but you probably won't see this message anyway. Of course, this will also block legitimate messages that have been scanned by whatever type of virus scanner adds that header. Wietse suggests the following body check; it will work better with Postfix 2.0: http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml This is working well for us. You could also probably look for the following three lines in a row: (I'll indent a space so they don't set off people who are blocking based on the above rules): X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. We're seeing a LOT of these today probably in the thousands per second. -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)
Re: Hijacked email
On Wed, Aug 20, 2003 at 06:13:58PM -0700, Will Yardley wrote: We're seeing a LOT of these today probably in the thousands per second. Eep - sorry for the annoying self-followup, but that should read thousands per minute (and that during peak hours) -- it's bad, but not THAT bad. -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)