BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Worm bait?

Subject: Worm bait?
From: lyons at digitalvoodoo.org (Timothy M. Lyons)
Date: Wed, 20 Aug 2003 00:49:10 -0400 (EDT)
In-reply-to: <20030820004243.GA9475@javalinux.net>

Glad to hear I'm not the only one seeing this type of activity. I received 86
attempts to send an email infected with sobig-f from a single host at
virginia.edu (128.143.65.85 to be precise) between 1330 and 2000 Monday.  The
same host has also been attempting to send email with the envelope set to my
tlyons alias and I've been seeing a bunch of undeliverables as a result.

Once I added the offending host to the access file the onslaught of virus 
ridden email stopped.  I tried to file a report to their abuse alias but 
received disposition notification that the message had been deleted (!!!!).  A 
phone call to their IT help desk yielded voicemail - so I'll follow-up 
tomorrow AM.

Is anyone else seeing traffic originating from this host?

--Tim 

On Tue, 19 Aug 2003 at 20:42 -0400 nmeyers at javalinux.net was 
heard to utter:

> From: nmeyers at javalinux.net
> To: Robert L Krawitz <rlk at alum.mit.edu>
> Cc: steve at stephencanthony.com, discuss at blu.org
> Date: Tue, 19 Aug 2003 20:42:43 -0400
> Subject: Re: Worm bait?
> 
> On Tue, Aug 19, 2003 at 08:33:34PM -0400, Robert L Krawitz wrote:
> >    From: Stephen Anthony <steve at stephencanthony.com>
> >    Date: 19 Aug 2003 19:55:39 -0400
> > 
> >    I received a email from a postfix mailer that tells me the message I
> >    sent bounced. All well and good, except I didn't send the message to
> >    begin with. Also, it says it was sent from my old attbi.com address
> >    (correct user name, tho) which I haven't used in a few months.
> > 
> >    I'm running my Evolution as my mail client, if that matters. 
> > 
> >    I'm concerned that someone may have gotten access to the attbi account
> >    and is sending mail as me. 
> > 
> >    Things I should do to investigate?
> > 
> > I've received a ton of these today.  I think that the latest worm de
> > l'heur is particularly aggressive at scanning systems for email
> > addresses and randomly using one as the sender.
> 
> I second that. I've gotten a lot of "you sent us a virus, you bastard"
> emails today, plus a note from weddingchannel.com thanking me for my
> interest in their services :-). The emails are definitely not coming
> from my system or my hosting provider.
> 
> Nathan Meyers
> nmeyers at javalinux.net
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> 
> 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner/Sophos on 
mail.digitalvoodoo.org and is believed to be clean.
--

References:
- Worm bait?
  - From: nmeyers at javalinux.net (nmeyers at javalinux.net)

Prev by Date: Worm bait?
Next by Date: Worm bait?
Previous by thread: Worm bait?
Next by thread: Worm bait?
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org