[GLLUG] BellSouth DSL Customer
Jeremy Bowers
jerf at jerf.org
Tue Aug 26 13:52:29 EDT 2003
Darrel Ray Clute, III wrote:
> Is there a GLLUG member who lives within the service area of Bell South
> DSL? If so you seem to have a machine infected with Sobig. Please
> correct this as soon as possible. Over the past 24 hours I have
> received roughly 100 messages sourced from 208.61.135.116, a Bell South
> DSL IP, with several of the messages containing GLLUG members as the
> sender. Please remedy the situation immediately.
SoBig forges the "from" address. The "From" addresses establishes merely
that the *true* sender once received email from the forged address, or
visited a web page containing the forged address, or basically somehow
the forged address ended up on the true sender's hard drive *somehow*.
The "from" address is the one person who *didn't* send it. While it's
possible a GLLUG member has it, it is equally likely that somebody
visited the web page and ended up with the addresses that way, or some
other way.
Please see http://www.sophos.com/virusinfo/analyses/w32sobiga.html for
corraboration:
"The worm searches the local hard drive for files with the extensions
TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list
of recipient email addresses that will be *used by the worm* to send
infected emails."
I'm getting a lot of bounce messages because the stupid mail processers
trust the forged address; many are for "bowersj2 at cse.msu.edu" which I
*never* send from. Definately the most irritating virus to date, because
there's collateral damage to even Linux/Mac/Misc users.
More information about the linux-user
mailing list