Hi all, SANS Internet Storm Center has some updates about the current virus spam. Seems to be caused by Sober (it is really interesting how monopolized viruses are today, sure the top 10 virus families account for 95% of virus mail traffic?). Some useful resources: http://isc.sans.org/ (updated, now points to http://www.viruslist.com/en/weblog background) http://www.heise.de/newsticker/meldung/59562 (German c't magazine - which by the way recently included a minimal FreeDOS on their mag. CD-ROM to run some included DOS utilities ;-)) --> follow the link "Kommentare lesen" below the article --> "Headerchecks fuer Spamassassin" and "header_checks fuer Postfix" contains a collection of the typical subject lines for this spam incident. Nice to feed your spam filter with. Current stats: 100 bounces before my other mail to the freedos list earlier today, 100 fresh ones in the meantime, almost all of them caused by the GTE customer PC (same IP as mentioned by Owen) sending mail to unc.edu non-existing accounts in my name and those mails bouncing "back" to me. No idea why it uses unc.edu for relaying here. But to answer the question from JAS: You cannot see the real sender NAME (but I guess it is Bill ;-)) but the mail headers (which your mail reader software or webmail should show when you select some "verbose" mode) contains a list of "Received" points which tells from where to where the mail travels. GTE and UNC were in many of those mails, and as UNC just bounced "back" the mails, I can conclude that they were originally sent by the PC of a GTE customer, but you cannot know which. In addition, virus- list.com and heise tell that this is kind of a time-bomb incident: Sober-infected PCs automatically updated their virus to a new version a few days ago, and today the next time-bomb step started and all those PCs started mass-mailing the racist messages which they had fetched when self-upgrading to the newer Sober version. You can imagine that more subtle cases of similar tactics are used every day by spammers to send us lots of "useful" mail without any bandwidth cost for the spammers themselves and with little risk for the spammers of getting caught. Maybe there should be a security screening ("can you spell a-n-t-i-v-i-r-u-s? do you use windowsupdate regularily?") before anybody is granted a DSL connection at home :-P. Example "Received" list: (our university mail server) <-- (outgoing unc.edu mailserver) <-- (incoming unc.edu mailserver) / telling me: "mail from eric at coli... to (some freedos user) unc.edu failed", quoting a return path as (incoming unc.edu mailserver) <-- (randomdomain.de [IP at GTE.net]). So the GTE user PC calls itself somewhere.de, mails to unc.edu, which finds that the mail does not work out, replies to me, mail takes normal path to me... Usually, error message mails are let through by spam filters, because they COULD be useful. Not useful - same for virus mails which trigger some filter which then mails somebody who is BELIEVED to have sent the virus about it, almost never reaching the RIGHT person. Could better suppress it. Eric PS: I think I can lean back and count filter hits now. Enjoy your spamfilter. ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Freedos-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/freedos-devel
