sobig.f and MX records

Darkage

2003-08-23 01:56:04 UTC

Yeah the virus uses the secondary MX's if the primary is down. My work
place was recieving 20,000 sobig.f infected emails a day. This isn't a
problem with detecting and deleting the emails, just 20,000 x the 72k
attachment = 1.4Gig downloaded minimum per day. email size was more like
99k. First I tried blocking ip's of infected people. got the list down to
1033 addresses. As soon as I put that in place it worked but almost straight
away different infected ppl showed up and adding a block of that size to a
unix packet filter. yikes. So one last thing that work was to set the mail
server (postfix) to deny clients that do not have proper fqdn. that seemed
to block out a huge bunch of the emails. Instead of getting an infected
email one a second now Im getting it one every 2 minutes. The download
bill at work is gunna be big. it managed to download 5.1 gig of these
infected emails over 2 and a half days.

Post by Darkage
Does anyone know if the sobig.f virus only tries the primary MX record and
not the secondary if the primary is unreachable?

Seeing that,
| Received: from I7T5I8 ([24.174.235.158]) by mailin02.sul.t-online.de
| with esmtp id 19pF81-1DxLaS0; Wed, 20 Aug 2003 00:39:01 +0200
| Subject: Re: Thank you!
| Date: Tue, 19 Aug 2003 17:38:57 --0500
| X-MailScanner: Found to be clean
| Importance: Normal
| X-MSMail-Priority: Normal
| X-Priority: 3 (Normal)
| MIME-Version: 1.0
| X-Seen: false
| X-Mailer: T-Online eMail 4.111
| Content-Type: multipart/mixed;
| boundary="_NextPart_000_025861EB"
| -----
| Received: from I7T5I8 ([24.174.235.158]) by mailin02.sul.t-online.de
| with esmtp id 19pF94-1JobC40; Wed, 20 Aug 2003 00:40:06 +0200
| Subject: Re: Your application
| Date: Tue, 19 Aug 2003 17:40:00 --0500
| X-MailScanner: Found to be clean
| Importance: Normal
| X-MSMail-Priority: Normal
| X-Priority: 3 (Normal)
| MIME-Version: 1.0
| X-Seen: false
| X-Mailer: T-Online eMail 4.111
| Content-Type: multipart/mixed;
| boundary="_NextPart_000_025955FB"
| -----
| Received: from I7T5I8 ([24.174.235.158]) by mailin04.sul.t-online.de
| with esmtp id 19pF9s-26LSL20; Wed, 20 Aug 2003 00:40:56 +0200
| Subject: Your details
| Date: Tue, 19 Aug 2003 17:40:53 --0500
| X-MailScanner: Found to be clean
| Importance: Normal
| X-MSMail-Priority: Normal
| X-Priority: 3 (Normal)
| MIME-Version: 1.0
| X-Seen: false
| X-Mailer: T-Online eMail 4.111
| Content-Type: multipart/mixed;
| boundary="_NextPart_000_025A2603"
| -----
| Received: from I7T5I8 ([24.174.235.158]) by mailin01.sul.t-online.de
| with esmtp id 19pFB9-2J30PQ0; Wed, 20 Aug 2003 00:42:15 +0200
| Subject: Re: Thank you!
| Date: Tue, 19 Aug 2003 17:42:11 --0500
| X-MailScanner: Found to be clean
| Importance: Normal
| X-MSMail-Priority: Normal
| X-Priority: 3 (Normal)
| MIME-Version: 1.0
| X-Seen: false
| X-Mailer: T-Online eMail 4.111
| Content-Type: multipart/mixed;
| boundary="_NextPart_000_025B55C5"
I don't think so. But maybe there is a load balancer in between.
Gabriele Neukam
--
Ah, Information. A good, too valuable theses days, to give it away, just
so, at no cost.