On May 16, 2005, at 9:00 AM, Mike Blonder wrote:
I am also getting inundated with German gibberish spam. Would you mind
explaining the significance (if any) of the email address that you posted? I
am finding that the German Gibberish garbage is spoofing a different email
address with each posting.
I'm new to the sleuthing aspect, so forgive me if I'm offbase here...(education/explanations always welcome! Plus it's made harder because the messages I have to work with are on a Unix system and managled headers off an Exchange final destination)
I know that usually they alter the headers and spoof (viruses, that is) but I thought it strange that we've been hammered by sober.p with that same address showing up over and over again in our amavis logs :
# grep 24-25-128-223 amavis.log|grep Sober.P |wc -l
16546
Usually it should vary things, I'd think. But then one of the first german gibberish messages I had found in a mailbox had the following right in the header:
Received: from oncsbuv.com <http://oncsbuv.com>
(aolclient-24-25-128-223.aol.nycap.res.rr.com<http://aolclient-24-25 -128-223.aol.nycap.res.rr.com>[
24.25.128.223 <http://24.25.128.223>])
Coincidence? The first set I grepped was the IP of Sober.P's being stopped at the bastion server over the past couple weeks looking for that specific IP name. The second was a sample german message that managed to find it's way to the administrator mail account on the exchange server.
I mean,...spoofing I understand, and expect...but is it really coincidental that these just happened to hit that IP? That's why I wondered if maybe there wasn't a link between the two...that sober.p is now a mass mailing spam tool.
Are there any analysis papers out on sober.p yet? And can anyone else corroborate the theory I have, or am I totally off-base here? I'm still trying to figure it out from what I can piece together between phone calls for other tasks here :-)
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
