I've been getting bounces containing this WORM_SOBIG.F (that's what Trend Micro's newest SIG named it) since early this morning. Nearly 70 so far! Every single one of them come to me with one of five unique addresses in the "From:" field of the bounced message.
Here's what leads me to believe that an email harvesting ebot is responsible for spreading this worm (BTW, I haven't read this theory anywhere else on the Internet, yet.)
I own or maintain over a dozen different domains. In nearly all of these sites, I use a 'cloaker' to encode the "Mailto" links and addresses. All but one, that is...
On one of these sites, around four years ago, I set up a site for a local band inside its own folder. In this site, I created five separate 'bio' pages - one for each band member. On each of these pages, I added a 'Mailto' link to a unique address I created on the domain for that band member. These five unique addresses do not go to mailboxes - they each forward to the band member's actual email address.
OK, now the five email addresses exist in only one place on the Internet, or anywhere else as far as I know - on the aforementioned pages. When I 'cloaked' the "Mailto's" on all my sites, I forgot these five as I hadn't updated the site in over two years (it's a "free gratis" site that isn't visited much.) I have, since this fiasco, now encoded the addresses with an email cloaker. Anyone interested in the cloaker is welcome to grab the code free from http://www.internet-marketing-forum.com/forum/viewtopic.php?t=2316 where I have it posted in a message. It's a simple HTML page containing a javascript encoder that also works for URLs.
So, what do you think? Is an email address harvesting ebot running rampant, grabbing uncloaked addresses from web pages, placing them into the "From:" fields and sending this worm out to other addresses? Do the bounces all of you are receiving contain addresses in the "From:" field that exist in 'uncloaked' format on web pages?
Just throwing out some ideas to hash about and hopefully, help others in preventing this from escalating.
Cheers, Tom Fosson Let me give you a free ISP business to compliment you own! http://www.seventhpower.biz/simple/?userid=31637 You never have to pay a penny! Everything supplied Free!
____ • The WDVL Discussion List from WDVL.COM • ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] Send Your Posts To: [EMAIL PROTECTED]
To set a personal password send an email to [EMAIL PROTECTED] with the words: "set WDVLTALK pw=yourpassword" in the body of the email.
To change subscription settings to the wdvltalk digest version:
http://wdvl.internet.com/WDVL/Forum/#sub
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]