SOBIG.e has been very very active, so the volume wouldn't suprise me. There hasn't been much released about how it chooses its recipients and senders, but the concensus is that at least the sender is randomly constructed from parts of email addresses it collects. The attachement name is what really gave away that this was sobig.e - you_details.zip and a few others are the payload of the virus. See http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.E&VSect=T for more info on that.
I don't think that emails referring to viagra are going to be related, but then I don't know what is actually inside the zip file that the victim sees, so it's possible that its an ad for viagra, but I doubt it. Jerry ----- Original Message ----- From: "SqM" <[EMAIL PROTECTED]> To: "Jerry Bell" <[EMAIL PROTECTED]> Cc: "Michael Long" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, June 29, 2003 3:02 PM Subject: Re: [SAtalk] Spammers using bounces and encoding In my case i have seen aprox 5000 bounces from mailservers around the world during the last week bouncing back to my mailserver.. The sending address in the mail that bounced is still <[EMAIL PROTECTED]> where "someuser" changes all the time.. "someuser" does not exist at all.. Would that still have something to do with SOBIG.e? In some cases there seems to be a attachement. In other cases there is viagra ads within.. /SqM > The email you included ins't spam, its SOBIG.e. > > Jerry > http://www.syslog.org > ----- Original Message ----- > From: "Michael Long" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, June 29, 2003 11:50 AM > Subject: [SAtalk] Spammers using bounces and encoding > > > I know this isn't a new thing necessarily in the internet world, but its > new for me. Lately in the past week I've gotten 3 or 4 bounces that came > from spammers. Apparently they set it up so that a legit (or maybe not > legit) mail server bounces back the full email to the recipients. This is > getting by spamassassin quite easily (.1 hits). Do you guys have anything > I can do? > > The other thing this spammer did was encode their entire email so a simple > content scan would not work... > > > Here's an example: > (I took out boring header lines...) > Date: Sun, 29 Jun 2003 06:41:26 +0000 > From: Mail Delivery System <[EMAIL PROTECTED]> > Subject: Mail delivery failed: returning message to sender > X-Failed-Recipients: [EMAIL PROTECTED] > X-AntiAbuse: This header was added to track abuse, > please include it with any abuse report > X-AntiAbuse: Primary Hostname - server3.serverbiz.net > X-AntiAbuse: Original Domain - infoave.net > X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] > X-AntiAbuse: Sender Address Domain - > Resent-From: [EMAIL PROTECTED] > X-Spam-Status: No, hits=0.1 required=5.0 > tests=AWL,MAILER_DAEMON,UPPERCASE_25_50 > version=2.55 > X-Spam-Level: > X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > > This message was created automatically by mail delivery software. > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > > [EMAIL PROTECTED] > User set for local_delivery transport is on the never_users list: > retry timeout exceeded > > ------ This is a copy of the message, including all the headers. ------ > ------ The body of the message is 111498 characters long; only the first > ------ 106496 or so are included here. > > Return-path: <[EMAIL PROTECTED]> > Received: from [217.39.72.206] (helo=JIMCARTER) > by server3.serverbiz.net with esmtp (Exim 4.20) > id 19VZ4R-0007WP-Ls > for [EMAIL PROTECTED]; Thu, 26 Jun 2003 15:53:59 +0000 > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: Movie > Date: Thu, 26 Jun 2003 16:53:33 +0100 > Importance: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MSMail-Priority: Normal > X-Priority: 3 (Normal) > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="CSmtpMsgPart123X456_000_0ED0AD2B" > Message-Id: <[EMAIL PROTECTED]> > > This is a multipart message in MIME format > > --CSmtpMsgPart123X456_000_0ED0AD2B > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > > Please see the attached zip file for details. > --CSmtpMsgPart123X456_000_0ED0AD2B > Content-Type: application/octet-stream; > name="your_details.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename="your_details.zip > > UEsDBBQAAgAIALCG2i789YYSm0ABAABSAQALAAAAZGV0YWlscy5waWbssmOMLkzbrnl3r7Zt27Zt > 27Ztd6+2jdW2bdu27V5tc55vv9/eM5nJzPyZZP48R1I5qq46U7mqUrJa8YBfAAAA5J/x8wMAtAH+ > ...more encoded trash here..... > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
