Swamped by SoBig e-mail

Discussion:

(too old to reply)

NHD

2003-08-24 12:52:18 UTC

I've been getting hundreds of SoBig.f infected mails every day from spoofed
e-mail addresses. I changed my MX record to go through a filtering service,
whcih has caught about 10% of them, but the rest keep coming through.

The ones that get through all seem to be coming from the same IP address,
unless that's spoofed also. Is it?

Here are the headers:

Received: from SPARKY
(ool-182f6abf.dyn.optonline.net [24.47.106.191])
by rosekissin.com; Sun, 24 Aug 2003 08:48:15 -0400
From: <***@musicmatch.com>
To: <***@irpcg.com>
Subject: Re: Your application
Date: Sun, 24 Aug 2003 8:48:23 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_1D5BC0F5"

W.S. Blevins

2003-08-24 12:53:19 UTC

Permalink

Post by NHD
The ones that get through all seem to be coming from the same IP address,
unless that's spoofed also. Is it?

Laura Fredericks

2003-08-24 19:06:02 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by NHD
I've been getting hundreds of SoBig.f infected mails every day from
spoofed e-mail addresses. I changed my MX record to go through a
filtering service, whcih has caught about 10% of them, but the rest
keep coming through.

Here's a list of the filters I'm currently using to delete the SOBIG
crap directly off the server, using Magic Mail Monitor. (A pop3
e-mail notifier.) http://mmm3.sourceforge.net/

Every once in a while, a new e-mail sneaks by, 'cause the
mailer-daemon is worded differently. I add those to the filter list,
as I get them.

Filter on SUBJECT, *includes*:

my details
your details
wicked screensaver
resume
approved
that movie
thank you
your application
details
mail delivery failure
inter-personal notification
mail system error
delivery has failed

Filter on FROM, *includes*:

mailer-daemon
mail delivery subsystem

Fwiw, since August 20th I've received 550 of these messages, to just
one e-mail address at my domain. (So far... They increase by the
minute.) None have the attachment. (Oh no! One just came in with the
attachment...And to a *different* addy at my domain! Ack!)

What I find interesting are the "from" addresses... Though I know
they're spoofed, I have to wonder why some people feel the need to
add EVERY SINGLE E-MAIL ADDY they send mail to/receive mail from to
their address books. Look at some of these addresses... They're
one-shot deals... I just don't get it. ;-)

(Note: These addresses have been munged; a couple were slightly
changed, for obvious reasons.)

apsupport-AT-dell-DOT-com
fin_support-AT-dell-DOT-com
den_support-AT-dell-DOT-com
pl_support-AT-dell-DOT-com
tech_be-AT-dell-DOT-com
support-AT-us-DOT-dell-DOT-com
someone-AT-microsoft-DOT-com
support-AT-macromedia-DOT-com
eudora-bugs-AT-qualcomm-DOT-com
customer_service-AT-silvercash-DOT-com
nobody-AT-netflix-DOT-com
webmaster-AT-grudge-match-DOT-com
info-AT-sunspringproperties-DOT-com
feedback-AT-softcomplex-DOT-com
corrections-AT-aom-DOT-pace-DOT-edu
yourname-AT-company-DOT-com
payments-autoresponder-AT-amazon-DOT-com
weightloss-AT-mygreatoffers-DOT-com
bookings-AT-hostelworld-DOT-com

(Someone with a Dell pc has some major problems, huh?)

Of course, a couple were uh, "interesting"...

kinkybitch22-AT-yahoo-DOT-com
i_like_my_pussy-AT-yahoo-DOT-com

And finally, I received two from *this* address... <snicker>

bbarlev-AT-mscc-DOT-huji-DOT-ac-DOT-il

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: Because I *can* be.

iQA/AwUBP0kMXaRseRzHUwOaEQJ+CQCg17CcO2/n2Wb1JS3X49US8PthGUkAnRAt
z56wtxioJrKtSckflLaVgHy4
=xv/A
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

Loading Image...

Remove CLOTHES to reply.

Ted Davis

2003-08-25 00:57:22 UTC

Permalink

On Sun, 24 Aug 2003 19:06:02 GMT, Laura Fredericks

Post by Laura Fredericks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That can be reduced to one or two:
Content-type: application/octet-stream

It can appear in the header (the virus) or the body (bounce message
containing the virus or its headers).

This stops all messages with attached executable files (normally a
good idea since they are all either viruses or from people not smart
enough to know that it's really bad form to send executables because
they will have to be treated as viruses) and most or at least many of
the bounce messages.

T.E.D. (***@gearbox.maem.umr.edu - e-mail must contain "T.E.D." or my .sig in the body)

W.B.

2003-08-25 19:43:42 UTC

Permalink

Post by NHD
I've been getting hundreds of SoBig.f infected mails every day from spoofed
e-mail addresses. I changed my MX record to go through a filtering service,
whcih has caught about 10% of them, but the rest keep coming through.

Make sure you then close off your MTA through an access control, or
firewall to prevent the messages from being delivered straight to your mail
server. You want to make them go though the filtering service. You only
want to allow your filtering providers mail servers to talk to yours. Any
filtering provider worth anything should be catching 100% of these.