[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51
>Some more info... >I see in our amavis logs on our ClamAV system (postfix pre-filter >FreeBSD for email) this kind of listing... >/usr/local/sbin/amavisd[35705]: (35705-10) Blocked INFECTED >(Worm.Sober.P), <[EMAIL PROTECTED]> -> ><f-Ge2_bV@<address snipped>>, Hits: -, tag=0, tag2=4, kill=4, L/0/0/0 >That address had been hammering us over and over for awhile with >sober.p. Now it's become quiet. That's the typical sober "break" after its first phase... >I notice a huge amount of german messages coming in, that's the second phase of a sober attack: sending nazi progaganda (in bad german) and spam :-( Background: Next week there is an election in one district of germany... that should be disturbed by that mails. >getting past the AV and our spam filter. >I went into the Exchange server and there was >one sample message in one of the recipient mailboxes with the >following in the headers: >Received: from oncsbuv.com >(aolclient-24-25-128-223.aol.nycap.res.rr.com [24.25.128.223]) >The message has the German subject line Maybe you should have simply entered it into google? I'm quite sure that google would have lead you to the right place. Yes, google can search for german strings too! IMOH ;-) >and the text appears to be just a link to a website...? Yes, it is. Many of them are pointing to websites of reputated printed newletters/magazins like "Der Spiegel". >Perhaps we now know what happened to sober.p? See: http://www.viruslist.com/en/weblog http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EU&VSect=P Details in german: http://www.heise.de/newsticker/meldung/59562 >(anyone know offhand how to use the access file for postfix to reject >a message by *sender* instead of recipient?) Write complaints to the owners of the IP blocks! The "MAIL FROM" is always faked. The URL-owner is mostly "innocent" too. Block all mails from dynamic IP. They are 99,99% spam. Rainer _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
