[GLLUG] BellSouth DSL Customer

Jeremy Bowers jerf at jerf.org
Tue Aug 26 13:52:29 EDT 2003


Darrel Ray Clute, III wrote:
> Is there a GLLUG member who lives within the service area of Bell South
> DSL?  If so you seem to have a machine infected with Sobig.  Please
> correct this as soon as possible.  Over the past 24 hours I have
> received roughly 100 messages sourced from 208.61.135.116, a Bell South
> DSL IP, with several of the messages containing GLLUG members as the
> sender.  Please remedy the situation immediately.

SoBig forges the "from" address. The "From" addresses establishes merely 
that the *true* sender once received email from the forged address, or 
visited a web page containing the forged address, or basically somehow 
the forged address ended up on the true sender's hard drive *somehow*.

The "from" address is the one person who *didn't* send it. While it's 
possible a GLLUG member has it, it is equally likely that somebody 
visited the web page and ended up with the addresses that way, or some 
other way.

Please see http://www.sophos.com/virusinfo/analyses/w32sobiga.html for 
corraboration:

"The worm searches the local hard drive for files with the extensions 
TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list 
of recipient email addresses that will be *used by the worm* to send 
infected emails."

I'm getting a lot of bounce messages because the stupid mail processers 
trust the forged address; many are for "bowersj2 at cse.msu.edu" which I 
*never* send from. Definately the most irritating virus to date, because 
there's collateral damage to even Linux/Mac/Misc users.




More information about the linux-user mailing list