[plug] has anyone had any involvement with the "sober" virus?

Ryan ryan at is.as.geeky.as
Fri May 20 13:03:43 WST 2005


On Fri, 2005-05-20 at 12:55 +0800, Senectus . wrote:
> It's the one that spams German propaganda via it's own smtp when infected.
> I'm at a site that i *think* has been infected and I've started doing
> what I can to halt it so I can track it and clean it..
> I blocked port 25 on the firewall for anything other than the mail
> server and I fully expected to see the logs filling up with "denies",
> but the only denies I'm seeing are from my test runs of "telnet
> mail.westnet.com.au 25" .... (it's been blocked for hours now)
> It's making me think that I've missed something or the virus isn't
> actually from here and that all the bounce messages are actually
> spoofed addresses..
> Any suggestions?

(in our case) The bounce messages are from spoofed messages.  (in our
case) The addresses spoofed have been obtained from websites - I know
this from certain bait addresses we've setup.

There seems to be about 2 days of bounce messages to the addresses (a
few hundred emails each) and then it dries up, never to be heard from
again.

Ryan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20050520/ffe8637f/attachment.pgp>


More information about the plug mailing list