It's easy to block. Check the handler's Diary at http://isc.sans.org/ and follow the links.
Cheers, Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Bart Silverstrim > Sent: 16 May 2005 16:05 > To: ClamAV users ML > Subject: Re: [Clamav-users] sober.p and german adverts? > > > On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote: > > > [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 > Maybe you > > should have simply entered it into google? > > I'm quite sure that google would have lead you to the right place. > > Yes, google can search for german strings too! IMOH ;-) > > I did enter it in when I first discovered it, but there were > no hits. > I thought perhaps it was too new at the time, and then turned > to the lists to corroborate what I was seeing. > > >> and the text appears to be just a link to a website...? > > > > Yes, it is. > > Many of them are pointing to websites of reputated printed > > newletters/magazins like "Der Spiegel". > > Apparently it will be very hard to block if it's just text > without extra spammer tricks in it to bypass filters...or at > least not enough to cross the threshold of spam vs. regular mail. > > >> Perhaps we now know what happened to sober.p? > > > > See: > > > > http://www.viruslist.com/en/weblog > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? > > VName=WORM%5FSOBER%2EU&VSect=P > > Details in german: > > http://www.heise.de/newsticker/meldung/59562 > > Well...I'm somewhat proud of myself that so far my hunches and > (amateurish) deductions had me on the right track :-) > > >> (anyone know offhand how to use the access file for > postfix to reject > >> a message by *sender* instead of recipient?) > > > > Write complaints to the owners of the IP blocks! > > The "MAIL FROM" is always faked. > > The URL-owner is mostly "innocent" too. > > > > Block all mails from dynamic IP. > > They are 99,99% spam. > > Is there a way to do that with the access file/postmap in postfix? > Block sender IP's/IP blocks? > > I thought it was odd that our hammering from particular > sober.p infections were consistent in IP. If they were > spoofing (this was from the logs that I extracted that grep), > then why wouldn't I have 16000 different sober.p sources > instead of a few of them over and over? > > _______________________________________________ > http://lurker.clamav.net/list/clamav-users.html > _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
