Full Disclosure mailing list archives

RE: SoBig.F strange problem

From: Denis Dimick <denis () dimick net>
Date: Tue, 19 Aug 2003 15:20:54 -0700 (PDT)

Just got off the phone with a small ISP out here in New Mexico.. Looks 
like one of there users has SoBig.f and is doing the same thing as Scott 
wrote about.. Not a lot you can do until ISP fix there mail servers to 
dis-allow this type of activity..

-Denis

On Tue, 19 Aug 2003, Rainer Gerhards wrote:

Scott,

I know this problem, too. Fortunately not (yet) with SoBig.F, but with
other such virii. The answer is simple: I am sending mail to a lot of
people. My mail address is also on a lot of web sites. This provides
excellent material for the virus to find my mail address (and now yours)
and then it can use that address to forge it as the sender address.

So don't takeit personally. Sit back and relax. Anyhow, there is nothing
you can do against it...

Rainer

-----Original Message-----
From: Scott Phelps / Dreamwright Studios 
[mailto:scottp () dreamwright com] 
Sent: Tuesday, August 19, 2003 9:01 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] SoBig.F strange problem

All day today I've been getting copies of SoBig.F. I've 
gotten around 150 copies so far, and a large number of 
postmaster bounces saying that a copy sent from my address 
was undeliverable.

I know that SoBig forges the from address from files it finds 
on the victims machine, but I can't for the life of me figure 
out why I'm the attempted victim for so many other copies. 
I'm not infected with the virus, I'm running antivirus that 
strips the attachment before it lands in my inbox, and I'm 
running a version of outlook that disallows the attachment 
extensions that SoBig uses. I've run manual scans on all of 
my machines, in case of infection through a network share, 
but I don't have any of those from outside either. All the 
emails seem to be coming from different places, but around 
90% are using a from address of @msu.edu.

Is there some logical explanation why I'm being singled out 
here? My antivirus is driving me insane with popups, so I've 
had to shut down my mail program to get some work done.

I'm sorry for the off topic nature of this question, but this 
makes no sense to me!

Scott

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: SoBig.F strange problem, (continued)
- - - Re: SoBig.F strange problem Jeremiah Cornelius (Aug 20)
    - Re: SoBig.F strange problem Scott M. Algatt (Aug 20)
    - RE: SoBig.F strange problem Bojan Zdrnja (Aug 20)
    - RE: SoBig.F strange problem Ben Nelson (Aug 20)
  - RE: SoBig.F strange problem JT (Aug 19)
    - Re: SoBig.F strange problem Anthony Saffer (Aug 19)
    - Re: SoBig.F strange problem Stephen Clowater (Aug 20)
    - Re: SoBig.F strange problem felix . roennebeck (Aug 20)
- Re: SoBig.F strange problem Joseph L. Hood (Aug 19)
- RE: SoBig.F strange problem Rainer Gerhards (Aug 19)
  - RE: SoBig.F strange problem Denis Dimick (Aug 19)
- RE: SoBig.F strange problem Boyer Kristy (Aug 19)
- RE: SoBig.F strange problem Risser, Nathan (BLM) (Aug 19)
- RE: SoBig.F strange problem Bassett, Mark (Aug 19)
  - RE: SoBig.F strange problem Nick FitzGerald (Aug 19)
- RE: SoBig.F strange problem Ferris, Robin (Aug 20)
- RE: SoBig.F strange problem Schmehl, Paul L (Aug 20)
- Re: SoBig.F strange problem Stephen Clowater (Aug 20)
  - Re: [fd] Re: SoBig.F strange problem Mike Vasquez (Aug 20)
  - Re: SoBig.F strange problem Nick FitzGerald (Aug 20)
- RE: SoBig.F strange problem Bassett, Mark (Aug 20)

(Thread continues...)