[GLLUG] BellSouth DSL Customer

Darrel Ray Clute, III darrel_clute at yahoo.com
Tue Aug 26 19:59:56 EDT 2003


I am well aware of how sobig works.  The reason I believe that someone
somehow associated with the list is the fact that the messages are being
"sent from" members of GLLUG.  Although these are not the true senders
of the messages dissecting the email source shows that all, that I am
receiving, are being sent from 208.61.135.116.  When doing an ARIN
lookup it resolves to a Bell South DSL network IP.  I am not positive
but I am fairly sure that at one point someone from that service area
(North or South Carolina maybe) had some dealings with the GLLUG, maybe
still does.  The entire point of my original message was to let the
individual, if they are still on the list, know that they have an
infected machine.  If anyone remembers, has record of, that individuals
name or email address it would probably be a good idea to contact them
to let them know that they possibly are infected and propagating
(actually annoying) to GLLUG members.

On Tue, 2003-08-26 at 13:52, Jeremy Bowers wrote:
> Darrel Ray Clute, III wrote:
> > Is there a GLLUG member who lives within the service area of Bell South
> > DSL?  If so you seem to have a machine infected with Sobig.  Please
> > correct this as soon as possible.  Over the past 24 hours I have
> > received roughly 100 messages sourced from 208.61.135.116, a Bell South
> > DSL IP, with several of the messages containing GLLUG members as the
> > sender.  Please remedy the situation immediately.
> 
> SoBig forges the "from" address. The "From" addresses establishes merely 
> that the *true* sender once received email from the forged address, or 
> visited a web page containing the forged address, or basically somehow 
> the forged address ended up on the true sender's hard drive *somehow*.
> 
> The "from" address is the one person who *didn't* send it. While it's 
> possible a GLLUG member has it, it is equally likely that somebody 
> visited the web page and ended up with the addresses that way, or some 
> other way.
> 
> Please see http://www.sophos.com/virusinfo/analyses/w32sobiga.html for 
> corraboration:
> 
> "The worm searches the local hard drive for files with the extensions 
> TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list 
> of recipient email addresses that will be *used by the worm* to send 
> infected emails."
> 
> I'm getting a lot of bounce messages because the stupid mail processers 
> trust the forged address; many are for "bowersj2 at cse.msu.edu" which I 
> *never* send from. Definately the most irritating virus to date, because 
> there's collateral damage to even Linux/Mac/Misc users.
> 
> 
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user


More information about the linux-user mailing list