Sobig.F and spam proxy.

Thomas DuVally thomas_duvally at BROWN.EDU
Thu Aug 21 15:18:00 IST 2003 

        Well, Sobig.F may have had a bigger purpose than just to annoy us.
This article:
http://money.cnn.com/2003/08/21/technology/worm_spam.reut/
is suggesting that it is installing spam-proxy software.  We already
have cases of possible sobig connected spam on campus (no proxies, yet).

        The spam doesn't seem to be infected, but appears to be getting tagged
by our spam scanners. We have users filtering anyway, so we aren't too
worried here.

        This was the next logical step for spammers.  I know a lot of people
have been expecting for this for a while, ever since we found out that
spammers have been actively hacking systems for spam-proxy. It seems
they have been busy this summer.

Here is a sample header:
Note that the "X-Brown-MailScanner" says its clean. That is our header
tag. It has the "X-MailScanner" that SoBig has and a similar "Subject"

Microsoft Mail Internet Headers Version 2.0
Received: from draco.services.brown.edu ([128.148.19.208]) by
ad.brown.edu with Microsoft SMTPSVC(5.0.2195.5329);
         Wed, 20 Aug 2003 20:49:39 -0400
Received: from CAS-FACULTY-01 (mi401d07.memphis.edu [141.225.37.77])
        by draco.services.brown.edu (Switch-3.1.0/Switch-3.1.0/) with
ESMTP id h7L0naOx017002
        for <Paul_Asadoorian at brown.edu>; Wed, 20 Aug 2003 20:49:36 -0400
(EDT)
Message-Id: <200308210049.h7L0naOx017002 at draco.services.brown.edu>
From: <ylee at sportschosun.com>
To: <Paul_Asadoorian at brown.edu>
Subject: Re: Re: My details
Date: Wed, 20 Aug 2003 19:52:59 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="_NextPart_000_0224F0AB"
X-Brown-MailScanner: Found to be clean
X-Brown-MailScanner-SpamCheck: spam, SpamAssassin (score=6.5, required
5,
        BAYES_60, DATE_IN_PAST_03_06, FORGED_MUA_OUTLOOK, INVALID_DATE,
        MIME_BOUND_NEXTPART, MISSING_MIMEOLE, MSG_ID_ADDED_BY_MTA_3,
        NO_REAL_NAME)
X-Brown-MailScanner-SpamScore: ssssss
Return-Path: ylee at sportschosun.com
X-OriginalArrivalTime: 21 Aug 2003 00:49:39.0128 (UTC)
FILETIME=[19B41B80:01C3677E]


--
Thomas J. DuVally
Lead Systems Prog.
CIS, Brown Univ.

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6

More information about the MailScanner mailing list